From f5676fd2337e1b89f2147be08ef013f821930702 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Wed, 16 Aug 2023 10:54:48 +0200 Subject: [PATCH] New upstream version (1.21.2) - Fix double-free in KDC TGS processing (CVE-2023-39975) Resolves: rhbz#2229113 - Make tests compatible with Python 3.12 Resolves: rhbz#2224013 Signed-off-by: Julien Rische --- .gitignore | 2 + ...ue-session-keys-with-deprecated-enct.patch | 309 +++++++++ ... 0002-downstream-ksu-pam-integration.patch | 4 +- ... 0003-downstream-SELinux-integration.patch | 6 +- ...ownstream-fix-debuginfo-with-y.tab.c.patch | 4 +- ... 0005-downstream-Remove-3des-support.patch | 91 +-- ...am-FIPS-with-PRNG-and-RADIUS-and-MD4.patch | 8 +- ...-krad-UDP-TCP-localhost-connection-w.patch | 4 +- ...tests-compatible-with-sssd_krb5_loca.patch | 4 +- ...-Include-missing-OpenSSL-FIPS-header.patch | 4 +- ...am-Do-not-set-root-as-ksu-file-owner.patch | 4 +- ...low-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch | 4 +- ...-to-set-PAC-ticket-signature-as-opti.patch | 8 +- ...PKINIT-CMS-SHA-1-signature-verificat.patch | 4 +- ...T-if-at-least-one-group-is-available.patch | 4 +- 0015-Replace-ssl.wrap_socket-for-tests.patch | 64 ++ krb5.spec | 601 +++++++++--------- sources | 4 +- 18 files changed, 743 insertions(+), 386 deletions(-) create mode 100644 0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch rename 0001-downstream-ksu-pam-integration.patch => 0002-downstream-ksu-pam-integration.patch (99%) rename 0002-downstream-SELinux-integration.patch => 0003-downstream-SELinux-integration.patch (99%) rename 0003-downstream-fix-debuginfo-with-y.tab.c.patch => 0004-downstream-fix-debuginfo-with-y.tab.c.patch (95%) rename 0004-downstream-Remove-3des-support.patch => 0005-downstream-Remove-3des-support.patch (98%) rename 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch => 0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch (99%) rename 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch => 0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch (97%) rename 0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch => 0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch (94%) rename 0008-downstream-Include-missing-OpenSSL-FIPS-header.patch => 0009-downstream-Include-missing-OpenSSL-FIPS-header.patch (98%) rename 0009-downstream-Do-not-set-root-as-ksu-file-owner.patch => 0010-downstream-Do-not-set-root-as-ksu-file-owner.patch (93%) rename 0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch => 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch (98%) rename 0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch => 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch (98%) rename 0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch => 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch (96%) rename 0013-Enable-PKINIT-if-at-least-one-group-is-available.patch => 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch (99%) create mode 100644 0015-Replace-ssl.wrap_socket-for-tests.patch diff --git a/.gitignore b/.gitignore index 7db6eaa..7057bf9 100644 --- a/.gitignore +++ b/.gitignore @@ -204,3 +204,5 @@ /krb5-1.20.1.tar.gz.asc /krb5-1.21.tar.gz /krb5-1.21.tar.gz.asc +/krb5-1.21.2.tar.gz +/krb5-1.21.2.tar.gz.asc diff --git a/0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch b/0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch new file mode 100644 index 0000000..cc457ae --- /dev/null +++ b/0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch @@ -0,0 +1,309 @@ +From 087d150e4afe47a8d269d5e80dcef2204b007ceb Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 16 Aug 2023 10:00:30 +0200 +Subject: [PATCH] Revert "Don't issue session keys with deprecated enctypes" + +This reverts commit 1b57a4d134bbd0e7c52d5885a92eccc815726463. +--- + doc/admin/conf_files/krb5_conf.rst | 12 ------------ + doc/admin/enctypes.rst | 23 +++------------------- + src/include/k5-int.h | 4 ---- + src/kdc/kdc_util.c | 10 ---------- + src/lib/krb5/krb/get_in_tkt.c | 31 +++++++++++------------------- + src/lib/krb5/krb/init_ctx.c | 10 ---------- + src/tests/gssapi/t_enctypes.py | 3 +-- + src/tests/t_etype_info.py | 2 +- + src/tests/t_sesskeynego.py | 28 ++------------------------- + src/util/k5test.py | 4 ++-- + 10 files changed, 20 insertions(+), 107 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index ecdf917501..f22d5db11b 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -95,18 +95,6 @@ Additionally, krb5.conf may include any of the relations described in + + The libdefaults section may contain any of the following relations: + +-**allow_des3** +- Permit the KDC to issue tickets with des3-cbc-sha1 session keys. +- In future releases, this flag will allow des3-cbc-sha1 to be used +- at all. The default value for this tag is false. (Added in +- release 1.21.) +- +-**allow_rc4** +- Permit the KDC to issue tickets with arcfour-hmac session keys. +- In future releases, this flag will allow arcfour-hmac to be used +- at all. The default value for this tag is false. (Added in +- release 1.21.) +- + **allow_weak_crypto** + If this flag is set to false, then weak encryption types (as noted + in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index dce19ad43e..694922c0d9 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -48,15 +48,12 @@ Session key selection + The KDC chooses the session key enctype by taking the intersection of + its **permitted_enctypes** list, the list of long-term keys for the + most recent kvno of the service, and the client's requested list of +-enctypes. Starting in krb5-1.21, all services are assumed to support +-aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session +-keys will not be issued by default. ++enctypes. + + Starting in krb5-1.11, it is possible to set a string attribute on a + service principal to control what session key enctypes the KDC may +-issue for service tickets for that principal, overriding the service's +-long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. +-See :ref:`set_string` in :ref:`kadmin(1)` for details. ++issue for service tickets for that principal. See :ref:`set_string` ++in :ref:`kadmin(1)` for details. + + + Choosing enctypes for a service +@@ -90,20 +87,6 @@ affect how enctypes are chosen. + acceptable risk for your environment and the weak enctypes are + required for backward compatibility. + +-**allow_des3** +- was added in release 1.21 and defaults to *false*. Unless this +- flag is set to *true*, the KDC will not issue tickets with +- des3-cbc-sha1 session keys. In a future release, this flag will +- control whether des3-cbc-sha1 is permitted in similar fashion to +- weak enctypes. +- +-**allow_rc4** +- was added in release 1.21 and defaults to *false*. Unless this +- flag is set to *true*, the KDC will not issue tickets with +- arcfour-hmac session keys. In a future release, this flag will +- control whether arcfour-hmac is permitted in similar fashion to +- weak enctypes. +- + **permitted_enctypes** + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 2f7791b775..1d1c8293f4 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -180,8 +180,6 @@ typedef unsigned char u_char; + * matches the variable name. Keep these alphabetized. */ + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" +-#define KRB5_CONF_ALLOW_DES3 "allow_des3" +-#define KRB5_CONF_ALLOW_RC4 "allow_rc4" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +@@ -1240,8 +1238,6 @@ struct _krb5_context { + struct _kdb_log_context *kdblog_context; + + krb5_boolean allow_weak_crypto; +- krb5_boolean allow_des3; +- krb5_boolean allow_rc4; + krb5_boolean ignore_acceptor_hostname; + krb5_boolean enforce_ok_as_delegate; + enum dns_canonhost dns_canonicalize_hostname; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index e54cc751f9..75e04b73db 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1088,16 +1088,6 @@ select_session_keytype(krb5_context context, krb5_db_entry *server, + if (!krb5_is_permitted_enctype(context, ktype[i])) + continue; + +- /* +- * Prevent these deprecated enctypes from being used as session keys +- * unless they are explicitly allowed. In the future they will be more +- * comprehensively disabled and eventually removed. +- */ +- if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !context->allow_des3) +- continue; +- if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !context->allow_rc4) +- continue; +- + if (dbentry_supports_enctype(context, server, ktype[i])) + return ktype[i]; + } +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index ea089f0fcc..1b420a3ac2 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1582,31 +1582,22 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, + (*prompter)(context, data, 0, banner, 0, 0); + } + +-/* Display a warning via the prompter if a deprecated enctype was used for +- * either the reply key or the session key. */ ++/* Display a warning via the prompter if des3-cbc-sha1 was used for either the ++ * reply key or the session key. */ + static void +-warn_deprecated(krb5_context context, krb5_init_creds_context ctx, +- krb5_enctype as_key_enctype) ++warn_des3(krb5_context context, krb5_init_creds_context ctx, ++ krb5_enctype as_key_enctype) + { +- krb5_enctype etype; +- char encbuf[128], banner[256]; ++ const char *banner; + +- if (ctx->prompter == NULL) +- return; +- +- if (krb5int_c_deprecated_enctype(as_key_enctype)) +- etype = as_key_enctype; +- else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype)) +- etype = ctx->cred.keyblock.enctype; +- else ++ if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 && ++ ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1) + return; +- +- if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0) ++ if (ctx->prompter == NULL) + return; +- snprintf(banner, sizeof(banner), +- _("Warning: encryption type %s used for authentication is " +- "deprecated and will be disabled"), encbuf); + ++ banner = _("Warning: encryption type des3-cbc-sha1 used for " ++ "authentication is weak and will be disabled"); + /* PROMPTER_INVOCATION */ + (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL); + } +@@ -1857,7 +1848,7 @@ init_creds_step_reply(krb5_context context, + ctx->complete = TRUE; + warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data, + ctx->in_tkt_service, ctx->reply); +- warn_deprecated(context, ctx, encrypting_key.enctype); ++ warn_des3(context, ctx, encrypting_key.enctype); + + cleanup: + krb5_free_pa_data(context, kdc_padata); +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index a6c2bbeb54..87b486c53f 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -221,16 +221,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + goto cleanup; + ctx->allow_weak_crypto = tmp; + +- retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp); +- if (retval) +- goto cleanup; +- ctx->allow_des3 = tmp; +- +- retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp); +- if (retval) +- goto cleanup; +- ctx->allow_rc4 = tmp; +- + retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp); + if (retval) + goto cleanup; +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index f5f11842e2..7494d7fcdb 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -18,8 +18,7 @@ d_rc4 = 'DEPRECATED:arcfour-hmac' + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. + supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4', +- 'allow_des3': 'true', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index 38cf96ca8f..c982508d8b 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,7 +1,7 @@ + from k5test import * + + supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'allow_weak_crypto': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 5a213617b5..9024aee838 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -25,8 +25,6 @@ conf3 = {'libdefaults': { + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} +-conf5 = {'libdefaults': {'allow_rc4': 'true'}} +-conf6 = {'libdefaults': {'allow_des3': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -56,12 +54,10 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'aes128-cts,aes256-cts']) + test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +-# 3b: Skip RC4 (as the KDC does not allow it for session keys by +-# default) and negotiate aes128-cts session key, with only an aes256 +-# long-term service key. ++# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. + realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'rc4-hmac,aes128-cts,aes256-cts']) +-test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') ++test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') + realm.stop() + + # 4: Check that permitted_enctypes is a default for session key enctypes. +@@ -71,24 +67,4 @@ realm.run([kvno, 'user'], + expected_trace=('etypes requested in TGS request: aes256-cts',)) + realm.stop() + +-# 5: allow_rc4 permits negotiation of rc4-hmac session key. +-realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) +-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- +-# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key. +-realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) +-realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1']) +-test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96') +-realm.stop() +- +-# 7: default config negotiates aes256-sha1 session key for RC4-only service. +-realm = K5Realm(create_host=False, get_creds=False) +-realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) +-test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac') +-realm.stop() +- + success('sesskeynego') +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 8e5f5ba8e9..2a86c5cdfc 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1340,14 +1340,14 @@ _passes = [ + + # Exercise the DES3 enctype. + ('des3', None, +- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, ++ {'libdefaults': {'permitted_enctypes': 'des3'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'des3-cbc-sha1:normal', + 'master_key_type': 'des3-cbc-sha1'}}}), + + # Exercise the arcfour enctype. + ('arcfour', None, +- {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, ++ {'libdefaults': {'permitted_enctypes': 'rc4'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), +-- +2.41.0 + diff --git a/0001-downstream-ksu-pam-integration.patch b/0002-downstream-ksu-pam-integration.patch similarity index 99% rename from 0001-downstream-ksu-pam-integration.patch rename to 0002-downstream-ksu-pam-integration.patch index d33704a..08bfeab 100644 --- a/0001-downstream-ksu-pam-integration.patch +++ b/0002-downstream-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From 67c82a09c6c53713c281045cd55de2720cd06907 Mon Sep 17 00:00:00 2001 +From 2080ff4c57d29e74466987d673aaf25273160534 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration @@ -773,5 +773,5 @@ index 77be7a2025..587221936e 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -- -2.40.1 +2.41.0 diff --git a/0002-downstream-SELinux-integration.patch b/0003-downstream-SELinux-integration.patch similarity index 99% rename from 0002-downstream-SELinux-integration.patch rename to 0003-downstream-SELinux-integration.patch index 840c2a3..cac0604 100644 --- a/0002-downstream-SELinux-integration.patch +++ b/0003-downstream-SELinux-integration.patch @@ -1,4 +1,4 @@ -From dfbac76ab7bb7e6e2c3171eefcaa93573e6b630e Mon Sep 17 00:00:00 2001 +From 3efc0e3ce4ccc8a89700f35bef041794982d95ca Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration @@ -188,7 +188,7 @@ index 587221936e..69be9030f8 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 2f7791b775..9c534faa8a 100644 +index 1d1c8293f4..768110e5ef 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -128,6 +128,7 @@ typedef unsigned char u_char; @@ -1034,5 +1034,5 @@ index 0000000000..807d039da3 + +#endif /* USE_SELINUX */ -- -2.40.1 +2.41.0 diff --git a/0003-downstream-fix-debuginfo-with-y.tab.c.patch b/0004-downstream-fix-debuginfo-with-y.tab.c.patch similarity index 95% rename from 0003-downstream-fix-debuginfo-with-y.tab.c.patch rename to 0004-downstream-fix-debuginfo-with-y.tab.c.patch index 40361ac..9368aa6 100644 --- a/0003-downstream-fix-debuginfo-with-y.tab.c.patch +++ b/0004-downstream-fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From a9c463ed5988c860ebb18de212d6c56da1cb1169 Mon Sep 17 00:00:00 2001 +From 28677b932c200eba07576358b4e5df2ae22c8ecd Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c @@ -40,5 +40,5 @@ index 8669c2436c..a22f23c02c 100644 install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -- -2.40.1 +2.41.0 diff --git a/0004-downstream-Remove-3des-support.patch b/0005-downstream-Remove-3des-support.patch similarity index 98% rename from 0004-downstream-Remove-3des-support.patch rename to 0005-downstream-Remove-3des-support.patch index f7b5134..6c8ce3b 100644 --- a/0004-downstream-Remove-3des-support.patch +++ b/0005-downstream-Remove-3des-support.patch @@ -1,4 +1,4 @@ -From 0691db92e13e0d224c2c9dd72c1421d8f7c3c078 Mon Sep 17 00:00:00 2001 +From 6734a067c600ea6ad81d08fcc481609c2bad9fbb Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -8,7 +8,7 @@ des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain their constants. -Last-updated: 1.20-final +Last-updated: 1.21.1-final [antorres@redhat.com: remove diffs for: - src/kdamin/testing/proto/kdc.conf.proto - src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp @@ -98,19 +98,18 @@ Last-updated: 1.20-final src/plugins/preauth/pkinit/pkinit_crypto.h | 10 +- src/plugins/preauth/pkinit/pkinit_kdf_test.c | 30 -- src/plugins/preauth/spake/t_vectors.c | 25 -- - src/tests/gssapi/t_enctypes.py | 34 +- + src/tests/gssapi/t_enctypes.py | 33 +- src/tests/gssapi/t_invalid.c | 12 - src/tests/gssapi/t_pcontok.c | 16 +- src/tests/gssapi/t_prf.c | 7 - src/tests/t_authdata.py | 2 +- - src/tests/t_etype_info.py | 20 +- + src/tests/t_etype_info.py | 21 +- src/tests/t_keyrollover.py | 8 +- src/tests/t_mkey.py | 35 -- src/tests/t_salt.py | 5 +- - src/tests/t_sesskeynego.py | 8 - src/util/k5test.py | 7 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 - - 90 files changed, 149 insertions(+), 4720 deletions(-) + 89 files changed, 149 insertions(+), 4712 deletions(-) delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c @@ -200,10 +199,10 @@ index 74a0a2acef..846c58ed82 100644 While **aes128-cts** and **aes256-cts** are supported for all Kerberos diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst -index dce19ad43e..2b4ed7da0b 100644 +index 694922c0d9..c4d5499d3b 100644 --- a/doc/admin/enctypes.rst +++ b/doc/admin/enctypes.rst -@@ -146,7 +146,7 @@ enctype weak? krb5 Windows +@@ -129,7 +129,7 @@ enctype weak? krb5 Windows des-cbc-crc weak <1.18 >=2000 des-cbc-md4 weak <1.18 ? des-cbc-md5 weak <1.18 >=2000 @@ -212,7 +211,7 @@ index dce19ad43e..2b4ed7da0b 100644 arcfour-hmac deprecated >=1.3 >=2000 arcfour-hmac-exp weak >=1.3 >=2000 aes128-cts-hmac-sha1-96 >=1.3 >=Vista -@@ -165,9 +165,11 @@ default. +@@ -148,9 +148,11 @@ default. krb5 releases 1.17 and later flag deprecated encryption types (including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and kadmin output. krb5 release 1.19 issues a warning during initial @@ -363,10 +362,10 @@ index dd6430ece8..350bcf86f2 100644 #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96 */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index e54cc751f9..ea10e23a95 100644 +index 75e04b73db..fe4e48209a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c -@@ -1164,8 +1164,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) +@@ -1154,8 +1154,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) name = "rsaEncryption-EnvOID"; else if (ktype == ENCTYPE_RSA_ES_OAEP_ENV) name = "id-RSAES-OAEP-EnvOID"; @@ -375,7 +374,7 @@ index e54cc751f9..ea10e23a95 100644 else return krb5_enctype_to_name(ktype, FALSE, buf, buflen); -@@ -1657,8 +1655,6 @@ krb5_boolean +@@ -1647,8 +1645,6 @@ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { switch(enctype) { @@ -5593,7 +5592,7 @@ index 84f1949887..32150f5e34 100644 case ENCTYPE_ARCFOUR_HMAC_EXP: /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype, diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c -index a6c2bbeb54..18290b764b 100644 +index 87b486c53f..2b5abcd817 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -59,7 +59,6 @@ @@ -5604,7 +5603,7 @@ index a6c2bbeb54..18290b764b 100644 ENCTYPE_ARCFOUR_HMAC, ENCTYPE_CAMELLIA128_CTS_CMAC, ENCTYPE_CAMELLIA256_CTS_CMAC, 0 -@@ -460,8 +459,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, +@@ -450,8 +449,6 @@ krb5int_parse_enctype_list(krb5_context context, const char *profkey, /* Set all enctypes in the default list. */ for (i = 0; default_list[i]; i++) mod_list(default_list[i], sel, weak, &list); @@ -5849,10 +5848,10 @@ index 2279202d3a..96b0307d78 100644 /* initial key, w, x, y, T, S, K */ "8846F7EAEE8FB117AD06BDD830B7586C", diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py -index f5f11842e2..1bb8c40b6b 100755 +index 7494d7fcdb..2f95d89967 100755 --- a/src/tests/gssapi/t_enctypes.py +++ b/src/tests/gssapi/t_enctypes.py -@@ -1,25 +1,17 @@ +@@ -1,24 +1,17 @@ from k5test import * -# Define some convenience abbreviations for enctypes we will see in @@ -5876,14 +5875,13 @@ index f5f11842e2..1bb8c40b6b 100755 # These tests make assumptions about the default enctype lists, so set # them explicitly rather than relying on the library defaults. -supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' --conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4', -- 'allow_des3': 'true', 'allow_rc4': 'true'}, +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, +supp='aes256-cts:normal aes128-cts:normal rc4-hmac:normal' -+conf = {'libdefaults': {'permitted_enctypes': 'aes rc4', 'allow_rc4': 'true'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes rc4'}, 'realms': {'$realm': {'supported_enctypes': supp}}} realm = K5Realm(krb5_conf=conf) shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) -@@ -88,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts', +@@ -87,19 +80,12 @@ test('both aes128', 'aes128-cts', 'aes128-cts', test_err('acc aes128', None, 'aes128-cts', 'Encryption type aes256-cts-hmac-sha1-96 not permitted') @@ -5904,7 +5902,7 @@ index f5f11842e2..1bb8c40b6b 100755 # subkey. test('upgrade noargs', None, None, tktenc=aes256, tktsession=d_rc4, -@@ -116,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None, +@@ -115,13 +101,6 @@ test('upgrade init aes128+rc4', 'aes128-cts rc4', None, tktenc=aes256, tktsession=d_rc4, proto='cfx', isubkey=rc4, asubkey=aes128) @@ -6008,20 +6006,21 @@ index bde1c36844..8fcd30db51 100644 realm.run(['./forward']) realm.run([kvno, realm.host_princ]) diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py -index 38cf96ca8f..e82ff7ff07 100644 +index c982508d8b..a6f538b66d 100644 --- a/src/tests/t_etype_info.py +++ b/src/tests/t_etype_info.py -@@ -1,7 +1,7 @@ +@@ -1,8 +1,7 @@ from k5test import * -supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' --conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'}, +-conf = {'libdefaults': {'allow_weak_crypto': 'true'}, +- 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} +supported_enctypes = 'aes128-cts rc4-hmac' -+conf = {'libdefaults': {'allow_rc4': 'true'}, - 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} ++conf = {'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) -@@ -26,9 +26,9 @@ def test_etinfo(princ, enctypes, expected_lines): + realm.run([kadminl, 'addprinc', '-pw', 'pw', '+requires_preauth', +@@ -26,9 +25,9 @@ def test_etinfo(princ, enctypes, expected_lines): # With no newer enctypes in the request, PA-ETYPE-INFO2, # PA-ETYPE-INFO, and PA-PW-SALT appear in the AS-REP, each listing one # key for the most preferred matching enctype. @@ -6034,7 +6033,7 @@ index 38cf96ca8f..e82ff7ff07 100644 'asrep pw_salt KRBTEST.COMuser']) # With a newer enctype in the request (even if it is not the most -@@ -39,9 +39,9 @@ test_etinfo('user', 'rc4 aes256-cts', +@@ -39,9 +38,9 @@ test_etinfo('user', 'rc4 aes256-cts', # In preauth-required errors, PA-PW-SALT does not appear, but the same # etype-info2 values are expected. @@ -6047,7 +6046,7 @@ index 38cf96ca8f..e82ff7ff07 100644 test_etinfo('preauthuser', 'rc4 aes256-cts', ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser']) -@@ -50,8 +50,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts', +@@ -50,8 +49,8 @@ test_etinfo('preauthuser', 'rc4 aes256-cts', # (to allow for preauth mechs which don't depend on long-term keys). # An AS-REP cannot be generated without preauth as there is no reply # key. @@ -6159,34 +6158,8 @@ index 65084bbf35..55ca897459 100755 # Test using different salt types in a principal's key list. # Parameters from one key in the list must not leak over to later ones. -diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py -index 5a213617b5..c7dba0ff5b 100755 ---- a/src/tests/t_sesskeynego.py -+++ b/src/tests/t_sesskeynego.py -@@ -26,7 +26,6 @@ conf3 = {'libdefaults': { - 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} - conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} - conf5 = {'libdefaults': {'allow_rc4': 'true'}} --conf6 = {'libdefaults': {'allow_des3': 'true'}} - # Test with client request and session_enctypes preferring aes128, but - # aes256 long-term key. - realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) -@@ -78,13 +77,6 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) - test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') - realm.stop() - --# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key. --realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False) --realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) --realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1']) --test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96') --realm.stop() -- - # 7: default config negotiates aes256-sha1 session key for RC4-only service. - realm = K5Realm(create_host=False, get_creds=False) - realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) diff --git a/src/util/k5test.py b/src/util/k5test.py -index 8e5f5ba8e9..b953827018 100644 +index 2a86c5cdfc..d823653aa0 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py @@ -1338,13 +1338,6 @@ _passes = [ @@ -6195,14 +6168,14 @@ index 8e5f5ba8e9..b953827018 100644 - # Exercise the DES3 enctype. - ('des3', None, -- {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, +- {'libdefaults': {'permitted_enctypes': 'des3'}}, - {'realms': {'$realm': { - 'supported_enctypes': 'des3-cbc-sha1:normal', - 'master_key_type': 'des3-cbc-sha1'}}}), - # Exercise the arcfour enctype. ('arcfour', None, - {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, + {'libdefaults': {'permitted_enctypes': 'rc4'}}, diff --git a/src/windows/leash/htmlhelp/html/Encryption_Types.htm b/src/windows/leash/htmlhelp/html/Encryption_Types.htm index 1aebdd0b4a..c38eefd2bd 100644 --- a/src/windows/leash/htmlhelp/html/Encryption_Types.htm @@ -6228,5 +6201,5 @@ index 1aebdd0b4a..c38eefd2bd 100644 The AES Advanced Encryption Standard family, like 3DES, is a symmetric block cipher and was designed -- -2.40.1 +2.41.0 diff --git a/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch similarity index 99% rename from 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch rename to 0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index e575b79..d59a5bf 100644 --- a/0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From 53191fd3a1acfeefa8e5c26e7e9d130688daf745 Mon Sep 17 00:00:00 2001 +From dc3fd927ccd5b7b40049145c3fc7c610d72e9502 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 @@ -41,10 +41,10 @@ Last-updated: krb5-1.20 15 files changed, 155 insertions(+), 33 deletions(-) diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index ecdf917501..b78a3faf0a 100644 +index f22d5db11b..a33711d918 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst -@@ -342,6 +342,12 @@ The libdefaults section may contain any of the following relations: +@@ -330,6 +330,12 @@ The libdefaults section may contain any of the following relations: qualification of shortnames, set this relation to the empty string with ``qualify_shortname = ""``. (New in release 1.18.) @@ -608,5 +608,5 @@ index 1a772d450f..232e78bc05 100644 vt->name = "spake"; vt->pa_type_list = pa_types; -- -2.40.1 +2.41.0 diff --git a/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch b/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch similarity index 97% rename from 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch rename to 0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch index 68f10a0..2602e7a 100644 --- a/0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +++ b/0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch @@ -1,4 +1,4 @@ -From c19d0bd35cde40172118c67c38a44f164bce1e16 Mon Sep 17 00:00:00 2001 +From 19db7e5b5d13732c2dfd08b35e2ad3f311553d54 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 5 May 2022 17:15:12 +0200 Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection with FIPS @@ -77,5 +77,5 @@ index 929f1cef67..063f17a613 100644 retval = ESOCKTNOSUPPORT; goto error; -- -2.40.1 +2.41.0 diff --git a/0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch b/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch similarity index 94% rename from 0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch rename to 0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch index f1c3ed6..844890e 100644 --- a/0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +++ b/0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch @@ -1,4 +1,4 @@ -From 0366e8b5b2f960cb8305fd95839376b6c18aae42 Mon Sep 17 00:00:00 2001 +From 16d3f9a54d4707ae9de18f108a7b61965e83ceaf Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Wed, 7 Dec 2022 13:22:42 +0100 Subject: [PATCH] [downstream] Make tests compatible with @@ -37,5 +37,5 @@ index 87bac17929..26bc95a8dc 100644 fail('URI answers do not match') j += 1 -- -2.40.1 +2.41.0 diff --git a/0008-downstream-Include-missing-OpenSSL-FIPS-header.patch b/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch similarity index 98% rename from 0008-downstream-Include-missing-OpenSSL-FIPS-header.patch rename to 0009-downstream-Include-missing-OpenSSL-FIPS-header.patch index 43648a7..ea123f7 100644 --- a/0008-downstream-Include-missing-OpenSSL-FIPS-header.patch +++ b/0009-downstream-Include-missing-OpenSSL-FIPS-header.patch @@ -1,4 +1,4 @@ -From a567b9de563cd8ad262f77cf97a8bc528a884745 Mon Sep 17 00:00:00 2001 +From 511a6260f0dadc3fe5ebe075f8b548eae026a1cc Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 5 Jan 2023 20:06:47 +0100 Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header @@ -116,5 +116,5 @@ index 232e78bc05..3394f8a58e 100644 * The SPAKE kdcpreauth module uses a secure cookie containing the following * concatenated fields (all integer fields are big-endian): -- -2.40.1 +2.41.0 diff --git a/0009-downstream-Do-not-set-root-as-ksu-file-owner.patch b/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch similarity index 93% rename from 0009-downstream-Do-not-set-root-as-ksu-file-owner.patch rename to 0010-downstream-Do-not-set-root-as-ksu-file-owner.patch index 0dd8834..46e759e 100644 --- a/0009-downstream-Do-not-set-root-as-ksu-file-owner.patch +++ b/0010-downstream-Do-not-set-root-as-ksu-file-owner.patch @@ -1,4 +1,4 @@ -From 6adfd97a3558aae4ace346685266bac9dae8bba9 Mon Sep 17 00:00:00 2001 +From 1b0bb0c3e5575559ea9135af5b9a1e91fe0f79f3 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Mon, 9 Jan 2023 22:39:52 +0100 Subject: [PATCH] [downstream] Do not set root as ksu file owner @@ -27,5 +27,5 @@ index 7eaa2f351c..e9ae71471e 100644 ## ${prefix}. prefix=@prefix@ -- -2.40.1 +2.41.0 diff --git a/0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch b/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch similarity index 98% rename from 0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch rename to 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch index a78d09c..2d34be0 100644 --- a/0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +++ b/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch @@ -1,4 +1,4 @@ -From 73640dc4899494d010b83b080b3a65bd3e69177c Mon Sep 17 00:00:00 2001 +From 6e239888cdb938ddda2bf49ec03ad2af3923c381 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 19 Jan 2023 19:22:27 +0100 Subject: [PATCH] [downstream] Allow KRB5KDF, MD5, and MD4 in FIPS mode @@ -161,5 +161,5 @@ index 5a43c3d9eb..8528ddc4a9 100644 ret = KRB5_CRYPTO_INTERNAL; goto done; -- -2.40.1 +2.41.0 diff --git a/0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch b/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch similarity index 98% rename from 0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch rename to 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch index 8109a84..00d2d0b 100644 --- a/0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch +++ b/0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch @@ -1,4 +1,4 @@ -From f47c9eb8618006012600a906367295ed53c558d0 Mon Sep 17 00:00:00 2001 +From 640492ecb4ee42edf33c343c08c01a549ed68a52 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Wed, 15 Mar 2023 15:56:34 +0100 Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional @@ -124,7 +124,7 @@ index 350bcf86f2..17e1b52266 100644 krb5_error_code KRB5_CALLCONV krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index ea10e23a95..c7b6e4090d 100644 +index fe4e48209a..93415ba862 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -560,16 +560,36 @@ cleanup: @@ -258,7 +258,7 @@ index 4c50e935a2..d4b0455c8c 100644 krb5_kt_client_default krb5_kt_close diff --git a/src/man/kadmin.man b/src/man/kadmin.man -index d028dc2975..2c8d10067f 100644 +index 461207021b..e8d78309cb 100644 --- a/src/man/kadmin.man +++ b/src/man/kadmin.man @@ -724,6 +724,12 @@ encryption type. It may be necessary to set this value to @@ -275,5 +275,5 @@ index d028dc2975..2c8d10067f 100644 .sp This command requires the \fBmodify\fP privilege. -- -2.40.1 +2.41.0 diff --git a/0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch b/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch similarity index 96% rename from 0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch rename to 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch index c40ed12..ba2c6af 100644 --- a/0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch +++ b/0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch @@ -1,4 +1,4 @@ -From d1322546dca51100759eac318ce554bd301c50c3 Mon Sep 17 00:00:00 2001 +From 1b2f64d66e01c1abeefdb7cbef7b04035c2128c0 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Tue, 23 May 2023 12:19:54 +0200 Subject: [PATCH] [downstream] Make PKINIT CMS SHA-1 signature verification @@ -43,5 +43,5 @@ index f41328763e..263ef7845e 100644 goto cleanup; } -- -2.40.1 +2.41.0 diff --git a/0013-Enable-PKINIT-if-at-least-one-group-is-available.patch b/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch similarity index 99% rename from 0013-Enable-PKINIT-if-at-least-one-group-is-available.patch rename to 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch index ebfa323..717eb43 100644 --- a/0013-Enable-PKINIT-if-at-least-one-group-is-available.patch +++ b/0014-Enable-PKINIT-if-at-least-one-group-is-available.patch @@ -1,4 +1,4 @@ -From a378b1970d92692baeddf6a8681f47efb13e343d Mon Sep 17 00:00:00 2001 +From d2b061bea524012edde2915aa95fc4cb6a6f3ae9 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 30 May 2023 01:21:48 -0400 Subject: [PATCH] Enable PKINIT if at least one group is available @@ -214,5 +214,5 @@ index 259e95c6c2..5ee39c085c 100644 TRACE(c, "PKINIT OpenSSL error: {str}", msg) -- -2.40.1 +2.41.0 diff --git a/0015-Replace-ssl.wrap_socket-for-tests.patch b/0015-Replace-ssl.wrap_socket-for-tests.patch new file mode 100644 index 0000000..d5eb3f4 --- /dev/null +++ b/0015-Replace-ssl.wrap_socket-for-tests.patch @@ -0,0 +1,64 @@ +From 42e831da09bd196068aeb7fe6bfe380bb46b846c Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 19 Jul 2023 13:43:17 +0200 +Subject: [PATCH] Replace ssl.wrap_socket() for tests + +The ssl.wrap_socket() function was deprecated in Python 3.7 and is +removed in Python 3.12. The ssl.SSLContext.wrap_socket() method +replaces it. + +Bump the required Python version for tests to 3.4 for +ssl.create_default_context(). + +[ghudson@mit.edu: changed minimum Python version] + +(cherry picked from commit 0ceab6c363e65fb21d3312a663f2b9b569ecc415) +--- + src/configure.ac | 9 ++++----- + src/util/wsgiref-kdcproxy.py | 4 +++- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/configure.ac b/src/configure.ac +index 2561e917a2..487f393146 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1157,10 +1157,9 @@ AC_SUBST(PKINIT) + # for lib/apputils + AC_REPLACE_FUNCS(daemon) + +-# For Python tests. Python version 3.2.4 is required as prior +-# versions do not accept string input to subprocess.Popen.communicate +-# when universal_newlines is set. +-PYTHON_MINVERSION=3.2.4 ++# For Python tests. Python version 3.4 is required for ++# ssl.create_default_context(). ++PYTHON_MINVERSION=3.4 + AC_SUBST(PYTHON_MINVERSION) + AC_CHECK_PROG(PYTHON,python3,python3) + if test x"$PYTHON" = x; then +@@ -1168,7 +1167,7 @@ if test x"$PYTHON" = x; then + fi + HAVE_PYTHON=no + if test x"$PYTHON" != x; then +- wantver="(sys.hexversion >= 0x30204F0)" ++ wantver="(sys.hexversion >= 0x30400F0)" + if "$PYTHON" -c "import sys; sys.exit(not $wantver and 1 or 0)"; then + HAVE_PYTHON=yes + fi +diff --git a/src/util/wsgiref-kdcproxy.py b/src/util/wsgiref-kdcproxy.py +index 58759696b6..d1d10d733c 100755 +--- a/src/util/wsgiref-kdcproxy.py ++++ b/src/util/wsgiref-kdcproxy.py +@@ -14,6 +14,8 @@ else: + pem = '*' + + server = make_server('localhost', port, kdcproxy.Application()) +-server.socket = ssl.wrap_socket(server.socket, certfile=pem, server_side=True) ++sslctx = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH) ++sslctx.load_cert_chain(certfile=pem) ++server.socket = sslctx.wrap_socket(server.socket, server_side=True) + os.write(sys.stdout.fileno(), b'proxy server ready\n') + server.serve_forever() +-- +2.41.0 + diff --git a/krb5.spec b/krb5.spec index 4932c63..03498cb 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 3 +%global baserelease 1 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -24,7 +24,7 @@ %global krb5_version_major 1 %global krb5_version_minor 21 # For a release without a patch number set to %%nil -%global krb5_version_patch %nil +%global krb5_version_patch 2 %global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor} %global krb5_version %{krb5_version_major_minor} @@ -59,19 +59,21 @@ Source13: kadmind.logrotate Source14: krb5-krb5kdc.conf Source15: %{name}-tests -Patch0001: 0001-downstream-ksu-pam-integration.patch -Patch0002: 0002-downstream-SELinux-integration.patch -Patch0003: 0003-downstream-fix-debuginfo-with-y.tab.c.patch -Patch0004: 0004-downstream-Remove-3des-support.patch -Patch0005: 0005-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch -Patch0006: 0006-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch -Patch0007: 0007-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch -Patch0008: 0008-downstream-Include-missing-OpenSSL-FIPS-header.patch -Patch0009: 0009-downstream-Do-not-set-root-as-ksu-file-owner.patch -Patch0010: 0010-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch -Patch0011: 0011-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch -Patch0012: 0012-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch -Patch0013: 0013-Enable-PKINIT-if-at-least-one-group-is-available.patch +Patch0001: 0001-Revert-Don-t-issue-session-keys-with-deprecated-enct.patch +Patch0002: 0002-downstream-ksu-pam-integration.patch +Patch0003: 0003-downstream-SELinux-integration.patch +Patch0004: 0004-downstream-fix-debuginfo-with-y.tab.c.patch +Patch0005: 0005-downstream-Remove-3des-support.patch +Patch0006: 0006-downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +Patch0007: 0007-downstream-Allow-krad-UDP-TCP-localhost-connection-w.patch +Patch0008: 0008-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch +Patch0009: 0009-downstream-Include-missing-OpenSSL-FIPS-header.patch +Patch0010: 0010-downstream-Do-not-set-root-as-ksu-file-owner.patch +Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch +Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch +Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch +Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch +Patch0015: 0015-Replace-ssl.wrap_socket-for-tests.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -708,6 +710,13 @@ exit 0 %{_datarootdir}/%{name}-tests/ %changelog +* Wed Aug 16 2023 Julien Rische - 1.21.2-1 +- New upstream version (1.21.2) +- Fix double-free in KDC TGS processing (CVE-2023-39975) + Resolves: rhbz#2229113 +- Make tests compatible with Python 3.12 + Resolves: rhbz#2224013 + * Thu Jul 20 2023 Fedora Release Engineering - 1.21-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild @@ -937,7 +946,7 @@ exit 0 - Fix build of previous * Wed Oct 21 2020 Robbie Harwood - 1.18.2-26 -- Cross-realm s4u fixes for samba (#1836630) +- Cross-realm s4u fixes for samba (rhbz#1836630) * Thu Oct 15 2020 Robbie Harwood - 1.18.2-25 - Unify kvno option documentation @@ -1551,11 +1560,11 @@ exit 0 * Mon Jun 26 2017 Robbie Harwood - 1.15.1-13 - Fix arch name (ppc64le, not ppc64el) -- Related-to: #1464381 +- Related-to: rhbz#1464381 * Mon Jun 26 2017 Robbie Harwood - 1.15.1-12 - Skip test suite on ppc64el -- Related-to: #1464381 +- Related-to: rhbz#1464381 * Fri Jun 23 2017 Robbie Harwood - 1.15.1-11 - Include more test suite changes from upstream @@ -1766,7 +1775,7 @@ exit 0 - Backport patch to fix mechglue for gss_inqure_attrs_for_mech() * Thu Dec 03 2015 Robbie Harwood - 1.14-11 -- Backport interposer fix (#1284985) +- Backport interposer fix (rhbz#1284985) - Drop workaround pwsize initialization patch (gcc has been fixed) * Tue Nov 24 2015 Robbie Harwood - 1.14-10 @@ -1801,7 +1810,7 @@ exit 0 - New upstream beta version * Thu Oct 08 2015 Robbie Harwood - 1.13.2-13 -- Work around KDC client prinicipal in referrals issue (#1259844) +- Work around KDC client prinicipal in referrals issue (rhbz#1259844) * Thu Oct 01 2015 Robbie Harwood - 1.13.2-12 - Enable building with bad system /etc/krb5.conf @@ -1814,7 +1823,7 @@ exit 0 - Nix /usr/share/krb5.conf.d to reduce complexity * Wed Sep 23 2015 Robbie Harwood - 1.13.2-9 -- Depend on crypto-policies which provides /etc/krb5.conf.d (#1225792) +- Depend on crypto-policies which provides /etc/krb5.conf.d (rhbz#1225792) * Thu Sep 10 2015 Robbie Harwood - 1.13.2-8 - Remove dependency on systemd-sysv which is no longer needed for fedora > 20 @@ -1823,7 +1832,7 @@ exit 0 * Thu Sep 10 2015 Robbie Harwood - 1.13.2-7 - Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/ - (#1225792, #1146370, #1145808) + (rhbz#1225792, rhbz#1146370, rhbz#1145808) * Thu Jun 25 2015 Roland Mainz - 1.13.2-6 - Use system nss_wrapper and socket_wrapper for testing. @@ -1831,8 +1840,8 @@ exit 0 * Thu Jun 25 2015 Roland Mainz - 1.13.2-5 - Remove Zanata test glue and related workarounds - - Bug #1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") - - Bug #1234326 ("krb5-server introduces new rpm dependency on ksh") + - rhbz#1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind") + - rhbz#1234326 ("krb5-server introduces new rpm dependency on ksh") * Thu Jun 18 2015 Roland Mainz - 1.13.2-4 - Fix dependicy on binfmt.service @@ -1841,12 +1850,12 @@ exit 0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Tue Jun 2 2015 Roland Mainz - 1.13.2-2 -- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear +- Add patch to fix Redhat rhbz#1227542 ("[SELinux] AVC denials may appear when kadmind starts"). The issue was caused by an unneeded |htons()| which triggered SELinux AVC denials due to the "random" port usage. * Thu May 21 2015 Roland Mainz - 1.13.2-1 -- Add fix for RedHat Bug #1164304 ("Upstream unit tests loads +- Add fix for RedHat rhbz#1164304 ("Upstream unit tests loads the installed shared libraries instead the ones from the build") * Thu May 14 2015 Roland Mainz - 1.13.2-0 @@ -1857,7 +1866,7 @@ exit 0 - Minor spec cleanup * Mon May 4 2015 Roland Mainz - 1.13.1-4 -- fix for CVE-2015-2694 (#1216133) "requires_preauth bypass +- fix for CVE-2015-2694 (rhbz#1216133) "requires_preauth bypass in PKINIT-enabled KDC". In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can @@ -1867,13 +1876,13 @@ exit 0 dictionary attack against the user's password. * Wed Mar 25 2015 Roland Mainz - 1.13.1-3 -- Add temporay workaround for RH bug #1204646 ("krb5-config +- Add temporay workaround for RH rhbz#1204646 ("krb5-config returns wrong -specs path") which modifies krb5-config post build so that development of krb5 dependicies gets unstuck. This MUST be removed before rawhide becomes F23 ... * Thu Mar 19 2015 Roland Mainz - 1.13.1-2 -- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated +- fix for CVE-2014-5355 (rhbz#1193939) "krb5: unauthenticated denial of service in recvauth_common() and others" * Fri Feb 13 2015 Roland Mainz - 1.13.1-1 @@ -1884,13 +1893,13 @@ exit 0 - Minor spec cleanup * Wed Feb 4 2015 Roland Mainz - 1.13-8 -- fix for CVE-2014-5352 (#1179856) "gss_process_context_token() +- fix for CVE-2014-5352 (rhbz#1179856) "gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)" -- fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial +- fix for CVE-2014-9421 (rhbz#1179857) "kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)" -- fix for CVE-2014-9422 (#1179861) "kadmind incorrectly +- fix for CVE-2014-9422 (rhbz#1179861) "kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)" -- fix for CVE-2014-9423 (#1179863) "libgssrpc server applications +- fix for CVE-2014-9423 (rhbz#1179863) "libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)" * Wed Feb 4 2015 Roland Mainz - 1.13-7 @@ -1902,17 +1911,17 @@ exit 0 - Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) * Mon Jan 26 2015 Roland Mainz - 1.13-5 -- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not +- fix for kinit -C loops (rhbz#1184629, MIT/krb5 issue 243, "Do not loop on principal unknown errors"). - Added "python-sphinx-latex" to the build requirements to fix build failures on F22 machines. * Thu Dec 18 2014 Roland Mainz - 1.13-4 -- fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer +- fix for CVE-2014-5354 (rhbz#1174546) "krb5: NULL pointer dereference when using keyless entries" * Wed Dec 17 2014 Roland Mainz - 1.13-3 -- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy +- fix for CVE-2014-5353 (rhbz#1174543) "Fix LDAP misused policy name crash" * Wed Oct 29 2014 Roland Mainz - 1.13-2 @@ -1922,18 +1931,18 @@ exit 0 * Wed Oct 29 2014 Roland Mainz - 1.13-1 - Update from krb5-1.13-alpha1 to final krb5-1.13 -- Removed patch for CVE-2014-5351 (#1145425) "krb5: current +- Removed patch for CVE-2014-5351 (rhbz#1145425) "krb5: current keys returned when randomizing the keys for a service principal" - now part of upstream sources -- Use patch for glibc |eventfd()| prototype mismatch (#1147887) only +- Use patch for glibc |eventfd()| prototype mismatch (rhbz#1147887) only for Fedora > 20 * Tue Sep 30 2014 Roland Mainz - 1.13-0.alpha1.3 - fix build failure caused by change of prototype for glibc - |eventfd()| (#1147887) + |eventfd()| (rhbz#1147887) * Mon Sep 29 2014 Roland Mainz - 1.13-0.alpha1.3 -- fix for CVE-2014-5351 (#1145425) "krb5: current keys returned when +- fix for CVE-2014-5351 (rhbz#1145425) "krb5: current keys returned when randomizing the keys for a service principal" * Mon Sep 8 2014 Nalin Dahyabhai - 1.13-0.alpha1.3 @@ -1949,7 +1958,7 @@ exit 0 * Wed Aug 20 2014 Nalin Dahyabhai - 1.12.2-3 - pull in upstream fix for an incorrect check on the value returned by a - strdup() call (#1132062) + strdup() call (rhbz#1132062) * Sun Aug 17 2014 Fedora Release Engineering - 1.12.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild @@ -1957,7 +1966,7 @@ exit 0 * Fri Aug 15 2014 Nalin Dahyabhai - 1.12.2-1 - update to 1.12.2 - drop patch for RT#7820, fixed in 1.12.2 - - drop patch for #231147, fixed as RT#3277 in 1.12.2 + - drop patch for rhbz#231147, fixed as RT#3277 in 1.12.2 - drop patch for RT#7818, fixed in 1.12.2 - drop patch for RT#7836, fixed in 1.12.2 - drop patch for RT#7858, fixed in 1.12.2 @@ -1968,7 +1977,7 @@ exit 0 - drop patch for CVE-2014-4344, included in 1.12.2 - drop patch for CVE-2014-4345, included in 1.12.2 - replace older proposed changes for ksu with backports of the changes - after review and merging upstream (#1015559, #1026099, #1118347) + after review and merging upstream (rhbz#1015559, rhbz#1026099, rhbz#1118347) * Thu Aug 7 2014 Nalin Dahyabhai - 1.12.1-14 - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) @@ -1979,21 +1988,21 @@ exit 0 * Wed Jul 16 2014 Nalin Dahyabhai - 1.12.1-12 - gssapi: pull in proposed fix for a double free in initiators (David - Woodhouse, CVE-2014-4343, #1117963) + Woodhouse, CVE-2014-4343, rhbz#1117963) * Sat Jul 12 2014 Tom Callaway - 1.12.1-11 - fix license handling * Mon Jul 7 2014 Nalin Dahyabhai - 1.12.1-10 - pull in fix for denial of service by injection of malformed GSSAPI tokens - (CVE-2014-4341, CVE-2014-4342, #1116181) + (CVE-2014-4341, CVE-2014-4342, rhbz#1116181) * Tue Jun 24 2014 Nalin Dahyabhai - 1.12.1-9 - pull in changes from upstream which add processing of the contents of - /etc/gss/mech.d/*.conf when loading GSS modules (#1102839) + /etc/gss/mech.d/*.conf when loading GSS modules (rhbz#1102839) * Thu Jun 12 2014 Nalin Dahyabhai - 1.12.1-8 -- pull in fix for building against tcl 8.6 (#1107061) +- pull in fix for building against tcl 8.6 (rhbz#1107061) * Sun Jun 08 2014 Fedora Release Engineering - 1.12.1-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild @@ -2005,14 +2014,14 @@ exit 0 - spnego: pull in patch from master to restore preserving the OID of the mechanism the initiator requested when we have multiple OIDs for the same mechanism, so that we reply using the same mechanism OID and the initiator - doesn't get confused (#1066000, RT#7858) + doesn't get confused (rhbz#1066000, RT#7858) * Fri Feb 7 2014 Nalin Dahyabhai - 1.12.1-4 - pull in patch from master to move the default directory which the KDC uses when computing the socket path for a local OTP daemon from the database directory (/var/kerberos/krb5kdc) to the newly-added run directory (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more - of #1040056 as #1063905) + of rhbz#1040056 as rhbz#1063905) - add a tmpfiles.d configuration file to have /run/krb5kdc created at boot-time - own /var/run/krb5kdc @@ -2022,12 +2031,12 @@ exit 0 * Fri Jan 31 2014 Nalin Dahyabhai - add currently-proposed changes to teach ksu about credential cache - collections and the default_ccache_name setting (#1015559,#1026099) + collections and the default_ccache_name setting (rhbz#1015559,rhbz#1026099) * Tue Jan 21 2014 Nalin Dahyabhai - 1.12.1-2 - pull in multiple changes to allow replay caches to be added to a GSS - credential store as "rcache"-type credentials (RT#7818/#7819/#7836, - #1056078/#1056080) + credential store as "rcache"-type credentials (RT#7818/rhbz#7819/rhbz#7836, + rhbz#1056078/rhbz#1056080) * Fri Jan 17 2014 Nalin Dahyabhai - 1.12.1-1 - update to 1.12.1 @@ -2040,11 +2049,11 @@ exit 0 - drop patches for RT#7813 and RT#7815, included now - add patch to always retrieve the KDC time offsets from keyring caches, so that we don't mistakenly interpret creds as expired before their - time when our clock is ahead of the KDC's (RT#7820, #1030607) + time when our clock is ahead of the KDC's (RT#7820, rhbz#1030607) * Mon Jan 13 2014 Nalin Dahyabhai - 1.12-11 - update the PIC patch for iaesx86.s to not use ELF relocations to the version - that landed upstream (RT#7815, #1045699) + that landed upstream (RT#7815, rhbz#1045699) * Thu Jan 9 2014 Nalin Dahyabhai - pass -Wl,--warn-shared-textrel to the compiler when we're creating shared @@ -2059,16 +2068,16 @@ exit 0 master - make a guess at making the 32-bit AES-NI implementation sufficiently position-independent to not require execmod permissions for libk5crypto - (more of #1045699) + (more of rhbz#1045699) * Thu Jan 2 2014 Nalin Dahyabhai - 1.12-8 - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack - on arches where they're used (#1045699, and so many others) + on arches where they're used (rhbz#1045699, and so many others) * Thu Jan 2 2014 Nalin Dahyabhai - 1.12-7 - revert that last change for a bit while sorting out execstack when we - use AES-NI (#1045699) + use AES-NI (rhbz#1045699) * Thu Dec 19 2013 Nalin Dahyabhai - 1.12-6 - add yasm as a build requirement for AES-NI support, on arches that have @@ -2076,7 +2085,7 @@ exit 0 * Thu Dec 19 2013 Nalin Dahyabhai - 1.12-5 - pull in fix from master to make reporting of errors encountered by - the SPNEGO mechanism work better (RT#7045, part of #1043962) + the SPNEGO mechanism work better (RT#7045, part of rhbz#1043962) * Thu Dec 19 2013 Nalin Dahyabhai - update a test wrapper to properly handle things that the new libkrad does, @@ -2086,19 +2095,19 @@ exit 0 - revise previous patch to initialize one more element * Wed Dec 18 2013 Nalin Dahyabhai - 1.12-3 -- backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739) +- backport fixes to krb5_copy_context (RT#7807, rhbz#1044735/rhbz#1044739) * Wed Dec 18 2013 Nalin Dahyabhai - 1.12-2 - pull in fix from master to return a NULL pointer rather than allocating zero bytes of memory if we read a zero-length input token (RT#7794, part of - #1043962) + rhbz#1043962) - pull in fix from master to ignore an empty token from an acceptor if - we've already finished authenticating (RT#7797, part of #1043962) + we've already finished authenticating (RT#7797, part of rhbz#1043962) - pull in fix from master to avoid a memory leak when a mechanism's - init_sec_context function fails (RT#7803, part of #1043962) + init_sec_context function fails (RT#7803, part of rhbz#1043962) - pull in fix from master to avoid a memory leak in a couple of error cases which could occur while obtaining acceptor credentials (RT#7805, part - of #1043962) + of rhbz#1043962) * Wed Dec 11 2013 Nalin Dahyabhai - 1.12-1 - update to 1.12 final @@ -2115,9 +2124,9 @@ exit 0 * Mon Nov 18 2013 Nalin Dahyabhai - 1.11.4-2 - pull in fix to store KDC time offsets in keyring credential caches (RT#7768, - #1030607) + rhbz#1030607) - pull in fix to set expiration times on credentials stored in keyring - credential caches (RT#7769, #1031724) + credential caches (RT#7769, rhbz#1031724) * Tue Nov 12 2013 Nalin Dahyabhai - 1.11.4-1 - update to 1.11.4 @@ -2126,21 +2135,21 @@ exit 0 - drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4 * Tue Nov 12 2013 Nalin Dahyabhai - 1.11.3-31 -- switch to the simplified version of the patch for #1029110 (RT#7764) +- switch to the simplified version of the patch for rhbz#1029110 (RT#7764) * Mon Nov 11 2013 Nalin Dahyabhai - 1.11.3-30 - check more thoroughly for errors when resolving KEYRING ccache names of type "persistent", which should only have a numeric UID as the next part of the - name (#1029110) + name (rhbz#1029110) * Tue Nov 5 2013 Nalin Dahyabhai - 1.11.3-29 - incorporate upstream patch for remote crash of KDCs which serve multiple realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, - #1026997/#1031501) + rhbz#1026997/rhbz#1031501) * Mon Nov 4 2013 Nalin Dahyabhai - 1.11.3-28 - drop patch to add additional access() checks to ksu - they add to breakage - when non-FILE: caches are in use (#1026099), shouldn't be resulting in any + when non-FILE: caches are in use (rhbz#1026099), shouldn't be resulting in any benefit, and clash with proposed changes to fix its cache handling * Tue Oct 22 2013 Nalin Dahyabhai - 1.11.3-27 @@ -2169,22 +2178,22 @@ exit 0 - BuildRequires: pkgconfig, since configure uses it * Wed Oct 16 2013 Nalin Dahyabhai - 1.11.3-26 -- create and own /etc/gss (#1019937) +- create and own /etc/gss (rhbz#1019937) * Tue Oct 15 2013 Nalin Dahyabhai - 1.11.3-25 - pull up fix for importing previously-exported credential caches in the - gssapi library (RT# 7706, #1019420) + gssapi library (RT# 7706, rhbz#1019420) * Mon Oct 14 2013 Nalin Dahyabhai - 1.11.3-24 - backport the callback to use the libkrb5 prompter when we can't load PEM - files for PKINIT (RT#7590, includes part of #965721/#1016690) -- extract the rest of the fix #965721/#1016690 from the changes for RT#7680 + files for PKINIT (RT#7590, includes part of rhbz#965721/rhbz#1016690) +- extract the rest of the fix rhbz#965721/rhbz#1016690 from the changes for RT#7680 * Mon Oct 14 2013 Nalin Dahyabhai - 1.11.3-23 -- fix trigger scriptlet's invocation of sed (#1016945) +- fix trigger scriptlet's invocation of sed (rhbz#1016945) * Fri Oct 4 2013 Nalin Dahyabhai - 1.11.3-22 -- rebuild with keyutils 1.5.8 (part of #1012043) +- rebuild with keyutils 1.5.8 (part of rhbz#1012043) * Wed Oct 2 2013 Nalin Dahyabhai - 1.11.3-21 - switch to the version of persistent-keyring that was just merged to @@ -2194,7 +2203,7 @@ exit 0 * Mon Sep 30 2013 Nalin Dahyabhai - 1.11.3-20 - pull up fix for not calling a kdb plugin's check-transited-path method before calling the library's default version, which only knows - how to read what's in the configuration file (RT#7709, #1013664) + how to read what's in the configuration file (RT#7709, rhbz#1013664) * Thu Sep 26 2013 Nalin Dahyabhai - 1.11.3-19 - configure --without-krb5-config so that we don't pull in the old default @@ -2205,7 +2214,7 @@ exit 0 - fix broken dependency on awk (should be gawk, rdieter) * Wed Sep 25 2013 Nalin Dahyabhai - 1.11.3-17 -- add missing dependency on newer keyutils-libs (#1012034) +- add missing dependency on newer keyutils-libs (rhbz#1012034) * Tue Sep 24 2013 Nalin Dahyabhai - 1.11.3-16 - back out setting default_ccache_name to the new default for now, resetting @@ -2213,11 +2222,11 @@ exit 0 * Mon Sep 23 2013 Nalin Dahyabhai - 1.11.3-15 - add explicit build-time dependency on a version of keyutils that's new - enough to include keyctl_get_persistent() (more of #991148) + enough to include keyctl_get_persistent() (more of rhbz#991148) * Thu Sep 19 2013 Nalin Dahyabhai - 1.11.3-14 - incorporate Simo's updated backport of his updated persistent-keyring changes - (more of #991148) + (more of rhbz#991148) * Fri Sep 13 2013 Nalin Dahyabhai - 1.11.3-13 - don't break during %%check when the session keyring is revoked @@ -2231,17 +2240,17 @@ exit 0 * Mon Sep 9 2013 Nalin Dahyabhai 1.11.3-11 - don't let comments intended for one scriptlet become part of the "script" - that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675) + that gets passed to ldconfig as part of another one (Mattias Ellert, rhbz#1005675) * Fri Sep 6 2013 Nalin Dahyabhai 1.11.3-10 -- incorporate Simo's backport of his persistent-keyring changes (#991148) +- incorporate Simo's backport of his persistent-keyring changes (rhbz#991148) - restore build-time default DEFCCNAME on Fedora 21 and later and EL, and instead set default_ccache_name in the default krb5.conf's [libdefaults] - section (#991148) + section (rhbz#991148) - on releases where we expect krb5.conf to be configured with a default_ccache_name, add it whenever we upgrade from an older version of the package that wouldn't have included it in its default configuration - file (#991148) + file (rhbz#991148) * Fri Aug 23 2013 Nalin Dahyabhai 1.11.3-9 - take another stab at accounting for UnversionedDocdirs for the -libs @@ -2256,7 +2265,7 @@ exit 0 of files which dictate particular exit codes before exec'ing the actual binaries, instead of trying to use ConditionPathExists in the unit files to accomplish that, so that we exit with failure properly when what we - expect isn't actually in effect on the system (#800343) + expect isn't actually in effect on the system (rhbz#800343) * Mon Jul 29 2013 Nalin Dahyabhai 1.11.3-7 - attempt to account for UnversionedDocdirs for the -libs subpackage @@ -2268,11 +2277,11 @@ exit 0 * Mon Jul 22 2013 Nalin Dahyabhai 1.11.3-5 - pull up changes to allow GSSAPI modules to provide more functions - (RT#7682, #986564/#986565) + (RT#7682, rhbz#986564/rhbz#986565) * Fri Jul 19 2013 Nalin Dahyabhai 1.11.3-4 - use (a bundled, for now, copy of) nss_wrapper to let us run some of the - self-tests at build-time in more places than we could previously (#978756) + self-tests at build-time in more places than we could previously (rhbz#978756) - cover inconsistencies in whether or not there's a local caching nameserver that's willing to answer when the build environment doesn't have a resolver configuration, so that nss_wrapper's faking of the local @@ -2280,23 +2289,23 @@ exit 0 * Mon Jul 1 2013 Nalin Dahyabhai 1.11.3-3 - specify dependencies on the same arch of krb5-libs by using the %%{?_isa} - suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155) + suffix, to avoid dragging 32-bit libraries onto 64-bit systems (rhbz#980155) * Thu Jun 13 2013 Nalin Dahyabhai 1.11.3-2 - special-case /run/user/0, attempting to create it when resolving a directory cache below it fails due to ENOENT and we find that it doesn't already exist, either, before attempting to create the directory cache - (maybe helping, maybe just making things more confusing for #961235) + (maybe helping, maybe just making things more confusing for rhbz#961235) * Tue Jun 4 2013 Nalin Dahyabhai 1.11.3-1 - update to 1.11.3 - drop patch for RT#7605, fixed in this release - drop patch for CVE-2002-2443, fixed in this release - drop patch for RT#7369, fixed in this release -- pull upstream fix for breaking t_skew.py by adding the patch for #961221 +- pull upstream fix for breaking t_skew.py by adding the patch for rhbz#961221 * Fri May 31 2013 Nalin Dahyabhai 1.11.2-10 -- respin with updated version of patch for RT#7650 (#969331) +- respin with updated version of patch for RT#7650 (rhbz#969331) * Thu May 30 2013 Nalin Dahyabhai 1.11.2-9 - don't forget to set the SELinux label when creating the directory for @@ -2312,22 +2321,22 @@ exit 0 * Tue May 28 2013 Nalin Dahyabhai 1.11.2-7 - backport fix for not being able to verify the list of transited realms - in GSS acceptors (RT#7639, #959685) + in GSS acceptors (RT#7639, rhbz#959685) - backport fix for not being able to pass an empty password to the - get-init-creds APIs and have them actually use it (RT#7642, #960001) + get-init-creds APIs and have them actually use it (RT#7642, rhbz#960001) - add backported proposed fix to use the unauthenticated server time as the basis for computing the requested credential expiration times, rather than the client's idea of the current time, which could be - significantly incorrect (#961221) + significantly incorrect (rhbz#961221) * Tue May 21 2013 Nalin Dahyabhai 1.11.2-6 - pull in upstream fix to start treating a KRB5CCNAME value that begins with DIR:: the same as it would a DIR: value with just one ccache file - in it (RT#7172, #965574) + in it (RT#7172, rhbz#965574) * Mon May 13 2013 Nalin Dahyabhai 1.11.2-5 - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, - #962531,#962534) + rhbz#962531,rhbz#962534) * Mon Apr 29 2013 Nathaniel McCallum 1.11.2-4 - Update otp patches @@ -2347,11 +2356,11 @@ exit 0 - drop pulled in patch for RT#7586, included in this release - drop pulled in patch for RT#7592, included in this release - pull in fix for keeping track of the message type when parsing FAST requests - in the KDC (RT#7605, #951843) (also #951965) + in the KDC (RT#7605, rhbz#951843) (also rhbz#951965) * Fri Apr 12 2013 Nalin Dahyabhai 1.11.1-9 - move the compiled-in default ccache location from the previous default of - FILE:/tmp/krb5cc_%%{uid} to DIR:/run/user/%%{uid}/krb5cc (part of #949588) + FILE:/tmp/krb5cc_%%{uid} to DIR:/run/user/%%{uid}/krb5cc (part of rhbz#949588) * Tue Apr 09 2013 Nathaniel McCallum - 1.11.1-8 - Update otp backport patches (libk5radius => libkrad) @@ -2372,8 +2381,8 @@ exit 0 * Tue Mar 26 2013 Nalin Dahyabhai 1.11.1-5 - pull up Simo's patch to mark the correct mechanism on imported GSSAPI contexts (RT#7592) -- go back to using reconf to run autoconf and autoheader (part of #925640) -- add temporary patch to use newer config.guess/config.sub (more of #925640) +- go back to using reconf to run autoconf and autoheader (part of rhbz#925640) +- add temporary patch to use newer config.guess/config.sub (more of rhbz#925640) * Mon Mar 18 2013 Nalin Dahyabhai - fix a version comparison to expect newer texlive build requirements when @@ -2384,12 +2393,12 @@ exit 0 - Add otp support * Thu Feb 28 2013 Nalin Dahyabhai 1.11.1-3 -- fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110) +- fix a memory leak when acquiring credentials using a keytab (RT#7586, rhbz#911110) * Wed Feb 27 2013 Nalin Dahyabhai 1.11.1-2 -- prebuild PDF docs to reduce multilib differences (internal tooling, #884065) +- prebuild PDF docs to reduce multilib differences (internal tooling, rhbz#884065) - drop the kerberos-iv portreserve file, and drop the rest on systemd systems -- escape uses of macros in comments (more of #884065) +- escape uses of macros in comments (more of rhbz#884065) * Mon Feb 25 2013 Nalin Dahyabhai 1.11.1-1 - update to 1.11.1 @@ -2397,7 +2406,7 @@ exit 0 wrapper in the client transmit functions * Fri Feb 8 2013 Nalin Dahyabhai 1.11-2 -- set "rdns = false" in the default krb5.conf (#908323,#908324) +- set "rdns = false" in the default krb5.conf (rhbz#908323,rhbz#908324) * Tue Dec 18 2012 Nalin Dahyabhai 1.11-1 - update to 1.11 release @@ -2407,7 +2416,7 @@ exit 0 * Thu Dec 13 2012 Nalin Dahyabhai - when building with our bundled copy of libverto, package it in with -libs - rather than with -server (#886049) + rather than with -server (rhbz#886049) * Wed Nov 21 2012 Nalin Dahyabhai 1.11-0.beta1.0 - update to 1.11 beta 1 @@ -2429,9 +2438,9 @@ exit 0 * Thu Nov 15 2012 Nalin Dahyabhai - update to 1.11 alpha 1 - - drop backported patch for RT #7406 - - drop backported patch for RT #7407 - - drop backported patch for RT #7408 + - drop backported patch for RT rhbz#7406 + - drop backported patch for RT rhbz#7407 + - drop backported patch for RT rhbz#7408 - the new docs system generates PDFs, so stop including them as sources - drop backported patch to allow deltat.y to build with the usual warning flags and the current gcc @@ -2455,27 +2464,27 @@ exit 0 %%{?_rawbuild} builds (zmraz) * Tue Sep 25 2012 Nalin Dahyabhai 1.10.3-6 -- actually pull up the patch for RT#7063, and not some other ticket (#773496) +- actually pull up the patch for RT#7063, and not some other ticket (rhbz#773496) * Mon Sep 10 2012 Nalin Dahyabhai 1.10.3-5 - add patch based on one from Filip Krska to not call poll() with a negative - timeout when the caller's intent is for us to just stop calling it (#838548) + timeout when the caller's intent is for us to just stop calling it (rhbz#838548) * Fri Sep 7 2012 Nalin Dahyabhai - on EL6, conflict with libsmbclient before 3.5.10-124, which is when it - stopped linking with a symbol which we no longer export (#771687) + stopped linking with a symbol which we no longer export (rhbz#771687) - pull up patch for RT#7063, in which not noticing a prompt for a long time throws the client library's idea of the time difference between it - and the KDC really far out of whack (#773496) + and the KDC really far out of whack (rhbz#773496) - add a backport of more patches to set the client's list of supported enctypes when using a keytab to be the list of types of keys in the keytab, plus the list of other types the client supports but for which it doesn't have keys, in that order, so that KDCs have a better chance of being able to issue - tickets with session keys of types that the client can use (#837855) + tickets with session keys of types that the client can use (rhbz#837855) * Thu Sep 6 2012 Nalin Dahyabhai 1.10.3-4 - cut down the number of times we load SELinux labeling configuration from - a minimum of two times to actually one (more of #845125) + a minimum of two times to actually one (more of rhbz#845125) * Thu Aug 30 2012 Nalin Dahyabhai 1.10.3-3 - backport patch to disable replay detection in krb5_verify_init_creds() @@ -2493,7 +2502,7 @@ exit 0 * Thu Aug 2 2012 Nalin Dahyabhai 1.10.2-7 - selinux: hang on to the list of selinux contexts, freeing and reloading it only when the file we read it from is modified, freeing it when the - shared library is being unloaded (#845125) + shared library is being unloaded (rhbz#845125) * Thu Aug 2 2012 Nalin Dahyabhai 1.10.2-6 - go back to not messing with library file paths on Fedora 17: it breaks @@ -2503,7 +2512,7 @@ exit 0 * Tue Jul 31 2012 Nalin Dahyabhai 1.10.2-5 - add upstream patch to fix freeing an uninitialized pointer and dereferencing another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 - and CVE-2012-1015, #844779 and #844777) + and CVE-2012-1015, rhbz#844779 and rhbz#844777) - fix a thinko in whether or not we mess around with devel .so symlinks on systems without a separate /usr (sbose) @@ -2529,7 +2538,7 @@ exit 0 - add a backport of Stef's patch to set the client's list of supported enctypes to match the types of keys that we have when we are using a keytab to try to get initial credentials, so that a KDC won't send us - an AS reply that we can't encrypt (RT#2131, #748528) + an AS reply that we can't encrypt (RT#2131, rhbz#748528) - don't shuffle around any shared libraries on releases with no-separate-/usr, since /usr/lib is the same place as /lib - add explicit buildrequires: on 'hostname', for the tests, on systems where @@ -2538,15 +2547,15 @@ exit 0 * Mon May 7 2012 Nalin Dahyabhai - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part - of #819115) + of rhbz#819115) * Tue May 1 2012 Nalin Dahyabhai 1.10.1-3 - have -server require /usr/share/dict/words, which we set as the default - dict_file in kdc.conf (#817089) + dict_file in kdc.conf (rhbz#817089) * Tue Mar 20 2012 Nalin Dahyabhai 1.10.1-2 -- change back dns_lookup_kdc to the default setting (Stef Walter, #805318) -- comment out example.com examples in default krb5.conf (Stef Walter, #805320) +- change back dns_lookup_kdc to the default setting (Stef Walter, rhbz#805318) +- comment out example.com examples in default krb5.conf (Stef Walter, rhbz#805320) * Fri Mar 9 2012 Nalin Dahyabhai 1.10.1-1 - update to 1.10.1 @@ -2557,7 +2566,7 @@ exit 0 * Wed Mar 7 2012 Nalin Dahyabhai 1.10-5 - when removing -workstation, remove our files from the info index while the file is still there, in %%preun, rather than %%postun, and use the - compressed file's name (#801035) + compressed file's name (rhbz#801035) * Tue Feb 21 2012 Nathaniel McCallum - 1.10-4 - Fix string RPC ACLs (RT#7093); CVE-2012-1012 @@ -2567,7 +2576,7 @@ exit 0 * Mon Jan 30 2012 Nalin Dahyabhai 1.10-2 - add patch to accept keytab entries with vno==0 as matches when we're - searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) + searching for an entry with a specific name/kvno (rhbz#230382/rhbz#782211,RT#3349) * Mon Jan 30 2012 Nalin Dahyabhai 1.10-1 - update to 1.10 final @@ -2592,21 +2601,21 @@ exit 0 * Tue Dec 13 2011 Nalin Dahyabhai 1.10-0.alpha1.3 - pull in patch for RT#7046: tag a ccache containing credentials obtained via - S4U2Proxy with the principal name of the proxying principal (part of #761317) + S4U2Proxy with the principal name of the proxying principal (part of rhbz#761317) so that the default principal name can be set to that of the client for which it is proxying, which results in the ccache looking more normal to consumers of the ccache that don't care that there's proxying going on - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached - (more of #761317) + (more of rhbz#761317) - pull in patch for RT#7048: allow PAC verification to only bother trying to - verify the signature with keys that it's given (still more of #761317) + verify the signature with keys that it's given (still more of rhbz#761317) * Tue Dec 6 2011 Nalin Dahyabhai 1.10-0.alpha1.2 - apply upstream patch to fix a null pointer dereference when processing - TGS requests (CVE-2011-1530, #753748) + TGS requests (CVE-2011-1530, rhbz#753748) * Wed Nov 30 2011 Nalin Dahyabhai 1.10-0.alpha1.1 -- correct a bug in the fix for #754001 so that the file creation context is +- correct a bug in the fix for rhbz#754001 so that the file creation context is consistently reset * Tue Nov 15 2011 Nalin Dahyabhai 1.10-0.alpha1.0 @@ -2621,27 +2630,27 @@ exit 0 should be able to run inside of the build system without issue * Wed Oct 26 2011 Fedora Release Engineering - 1.9.1-19 -- Rebuilt for glibc bug#747377 +- Rebuilt for glibc rhbz#747377 * Tue Oct 18 2011 Nalin Dahyabhai 1.9.1-18 - apply upstream patch to fix a null pointer dereference with the LDAP kdb - backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb + backend (CVE-2011-1527, rhbz#744125), an assertion failure with multiple kdb backends (CVE-2011-1528), and a null pointer dereference with multiple kdb - backends (CVE-2011-1529) (#737711) + backends (CVE-2011-1529) (rhbz#737711) * Thu Oct 13 2011 Nalin Dahyabhai 1.9.1-17 - pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and - make it public (#745533) + make it public (rhbz#745533) * Fri Oct 7 2011 Nalin Dahyabhai 1.9.1-16 -- kadmin.service: fix #723723 again +- kadmin.service: fix rhbz#723723 again - kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command lines, because systemd parsing doesn't handle alternate value shell variable syntax - kprop.service: add missing Type=forking so that systemd doesn't assume simple - kprop.service: expect the ACL configuration to be there, not absent - handle a harder-to-trigger assertion failure that starts cropping up when we - exit the transmit loop on time (#739853) + exit the transmit loop on time (rhbz#739853) * Sun Oct 2 2011 Tom Callaway 1.9.1-15 - hardcode pid file as option in krb5kdc.service @@ -2654,50 +2663,50 @@ exit 0 * Tue Sep 6 2011 Nalin Dahyabhai 1.9.1-12 - pull in upstream patch for RT#6952, confusion following referrals for - cross-realm auth (#734341) + cross-realm auth (rhbz#734341) - pull in build-time deps for the tests * Thu Sep 1 2011 Nalin Dahyabhai 1.9.1-11 -- switch to the upstream patch for #727829 +- switch to the upstream patch for rhbz#727829 * Wed Aug 31 2011 Nalin Dahyabhai 1.9.1-10 - handle an assertion failure that starts cropping up when the patch for - using poll (#701446) meets servers that aren't running KDCs or against - which the connection fails for other reasons (#727829, #734172) + using poll (rhbz#701446) meets servers that aren't running KDCs or against + which the connection fails for other reasons (rhbz#727829, rhbz#734172) * Mon Aug 8 2011 Nalin Dahyabhai 1.9.1-9 - override the default build rules to not delete temporary y.tab.c files, so that they can be packaged, allowing debuginfo files which point to them - do so usefully (#729044) + do so usefully (rhbz#729044) * Fri Jul 22 2011 Nalin Dahyabhai 1.9.1-8 -- build shared libraries with partial RELRO support (#723995) +- build shared libraries with partial RELRO support (rhbz#723995) - filter out potentially multiple instances of -Wl,-z,relro from krb5-config output, now that it's in the buildroot's default LDFLAGS - pull in a patch to fix losing track of the replay cache FD, from SVN by way of Kevin Coffman * Wed Jul 20 2011 Nalin Dahyabhai 1.9.1-7 -- kadmind.init: drop the attempt to detect no-database-present errors (#723723), +- kadmind.init: drop the attempt to detect no-database-present errors (rhbz#723723), which is too fragile in cases where the database has been manually moved or is accessed through another kdb plugin * Tue Jul 19 2011 Nalin Dahyabhai 1.9.1-6 - backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE - to talk to a KDC by using poll() if it's detected at compile-time (#701446, + to talk to a KDC by using poll() if it's detected at compile-time (rhbz#701446, RT#6905) * Thu Jun 23 2011 Nalin Dahyabhai 1.9.1-5 - pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo() during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or not to ask for an IPv6 address based on the set of configured interfaces - (#717378, RT#6922) + (rhbz#717378, RT#6922) - pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923) * Mon Jun 20 2011 Nalin Dahyabhai 1.9.1-4 - apply upstream patch by way of Burt Holzman to fall back to a non-referral method in cases where we might be derailed by a KDC that rejects the - canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#715074) + canonicalize option (for example, those from the RHEL 2.1 or 3 era) (rhbz#715074) * Tue Jun 14 2011 Nalin Dahyabhai 1.9.1-3 - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating @@ -2705,13 +2714,13 @@ exit 0 * Tue Jun 14 2011 Nalin Dahyabhai - incorporate a fix to teach the file labeling bits about when replay caches - are expunged (#576093) + are expunged (rhbz#576093) * Thu May 26 2011 Nalin Dahyabhai -- switch to the upstream patch for #707145 +- switch to the upstream patch for rhbz#707145 * Wed May 25 2011 Nalin Dahyabhai 1.9.1-2 -- klist: don't trip over referral entries when invoked with -s (#707145, +- klist: don't trip over referral entries when invoked with -s (rhbz#707145, RT#6915) * Fri May 6 2011 Nalin Dahyabhai @@ -2724,26 +2733,26 @@ exit 0 CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285 * Wed Apr 13 2011 Nalin Dahyabhai 1.9-9 -- kadmind: add upstream patch to fix free() on an invalid pointer (#696343, +- kadmind: add upstream patch to fix free() on an invalid pointer (rhbz#696343, MITKRB5-SA-2011-004, CVE-2011-0285) * Mon Apr 4 2011 Nalin Dahyabhai - don't discard the error code from an error message received in response - to a change-password request (#658871, RT#6893) + to a change-password request (rhbz#658871, RT#6893) * Fri Apr 1 2011 Nalin Dahyabhai - override INSTALL_SETUID at build-time so that ksu is installed into - the buildroot with the right permissions (part of #225974) + the buildroot with the right permissions (part of rhbz#225974) * Fri Mar 18 2011 Nalin Dahyabhai 1.9-8 - backport change from SVN to fix a computed-value-not-used warning in - kpropd (#684065) + kpropd (rhbz#684065) * Tue Mar 15 2011 Nalin Dahyabhai 1.9-7 - turn off NSS as the backend for libk5crypto for now to work around its - DES string2key not working (#679012) + DES string2key not working (rhbz#679012) - add revised upstream patch to fix double-free in KDC while returning - typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, #674325) + typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, rhbz#674325) * Thu Feb 17 2011 Nalin Dahyabhai - throw in a not-applied-by-default patch to try to make pkinit debugging @@ -2756,14 +2765,14 @@ exit 0 * Wed Feb 9 2011 Nalin Dahyabhai 1.9-5 - krb5kdc init script: prototype some changes to do a quick spot-check of the TGS and kadmind keys and warn if there aren't any non-weak keys - on file for them (to flush out parts of #651466) + on file for them (to flush out parts of rhbz#651466) * Tue Feb 8 2011 Nalin Dahyabhai 1.9-4 - add upstream patches to fix standalone kpropd exiting if the per-client child process exits with an error (MITKRB5-SA-2011-001), a hang or crash in the KDC when using the LDAP kdb backend, and an uninitialized pointer - use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, #664009, - CVE-2011-0281, #668719, CVE-2011-0282, #668726, CVE-2011-0283, #676126) + use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, rhbz#664009, + CVE-2011-0281, rhbz#668719, CVE-2011-0282, rhbz#668726, CVE-2011-0283, rhbz#676126) * Mon Feb 07 2011 Fedora Release Engineering - 1.9-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild @@ -2774,11 +2783,11 @@ exit 0 * Tue Feb 1 2011 Nalin Dahyabhai - properly advertise that the kpropd init script now supports force-reload - (Zbysek Mraz, #630587) + (Zbysek Mraz, rhbz#630587) * Wed Jan 26 2011 Nalin Dahyabhai 1.9-2 - pkinit: when verifying signed data, use the CMS APIs for better - interoperability (#636985, RT#6851) + interoperability (rhbz#636985, RT#6851) * Wed Dec 22 2010 Nalin Dahyabhai 1.9-1 - update to 1.9 final @@ -2798,56 +2807,56 @@ exit 0 * Fri Nov 5 2010 Nalin Dahyabhai 1.9-0.beta1.0 - start moving to 1.9 with beta 1 - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 - - drop no-longer-needed backport patch for #539423 + - drop no-longer-needed backport patch for rhbz#539423 - drop no-longer-needed patch for CVE-2010-1322 - if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9) * Tue Oct 5 2010 Nalin Dahyabhai 1.8.3-8 - incorporate upstream patch to fix uninitialized pointer crash in the KDC's - authorization data handling (CVE-2010-1322, #636335) + authorization data handling (CVE-2010-1322, rhbz#636335) * Mon Oct 4 2010 Nalin Dahyabhai 1.8.3-7 - rebuild * Mon Oct 4 2010 Nalin Dahyabhai 1.8.3-6 - pull down patches from trunk to implement k5login_authoritative and - k5login_directory settings for krb5.conf (#539423) + k5login_directory settings for krb5.conf (rhbz#539423) * Wed Sep 29 2010 jkeating - 1.8.3-5 -- Rebuilt for gcc bug 634757 +- Rebuilt for gcc rhbz#634757 * Wed Sep 15 2010 Nalin Dahyabhai 1.8.3-4 - fix reading of keyUsage extensions when attempting to select pkinit client - certs (part of #629022, RT#6775) + certs (part of rhbz#629022, RT#6775) - fix selection of pkinit client certs when one or more don't include a - subjectAltName extension (part of #629022, RT#6774) + subjectAltName extension (part of rhbz#629022, RT#6774) * Fri Sep 3 2010 Nalin Dahyabhai 1.8.3-3 - build with -fstack-protector-all instead of the default -fstack-protector, - so that we add checking to more functions (i.e., all of them) (#629950) -- also link binaries with -Wl,-z,relro,-z,now (part of #629950) + so that we add checking to more functions (i.e., all of them) (rhbz#629950) +- also link binaries with -Wl,-z,relro,-z,now (part of rhbz#629950) * Tue Aug 24 2010 Nalin Dahyabhai 1.8.3-2 -- fix a logic bug in computing key expiration times (RT#6762, #627022) +- fix a logic bug in computing key expiration times (RT#6762, rhbz#627022) * Wed Aug 4 2010 Nalin Dahyabhai 1.8.3-1 - update to 1.8.3 - drop backports of fixes for gss context expiration and error table registration/deregistration mismatch - - drop patch for upstream #6750 + - drop patch for upstream rhbz#6750 * Wed Jul 7 2010 Nalin Dahyabhai 1.8.2-3 - tell krb5kdc and kadmind to create pid files, since they can -- add logrotate configuration files for krb5kdc and kadmind (#462658) -- fix parsing of the pidfile option in the KDC (upstream #6750) +- add logrotate configuration files for krb5kdc and kadmind (rhbz#462658) +- fix parsing of the pidfile option in the KDC (upstream rhbz#6750) * Mon Jun 21 2010 Nalin Dahyabhai 1.8.2-2 - libgssapi: pull in patch from svn to stop returning context-expired errors - when the ticket which was used to set up the context expires (#605366, - upstream #6739) + when the ticket which was used to set up the context expires (rhbz#605366, + upstream rhbz#6739) * Mon Jun 21 2010 Nalin Dahyabhai -- pull up fix for upstream #6745, in which the gssapi library would add the +- pull up fix for upstream rhbz#6745, in which the gssapi library would add the wrong error table but subsequently attempt to unload the right one * Thu Jun 10 2010 Nalin Dahyabhai 1.8.2-1 @@ -2859,8 +2868,8 @@ exit 0 * Thu May 27 2010 Nalin Dahyabhai - ksu: move session management calls to before we drop privileges, like - su does (#596887), and don't skip the PAM account check for root or the - same user (more of #540769) + su does (rhbz#596887), and don't skip the PAM account check for root or the + same user (more of rhbz#540769) * Mon May 24 2010 Nalin Dahyabhai 1.8.1-6 - make krb5-server-ldap also depend on the same version-release of krb5-libs, @@ -2873,20 +2882,20 @@ exit 0 * Tue May 18 2010 Nalin Dahyabhai 1.8.1-5 - add patch to correct GSSAPI library null pointer dereference which could be - triggered by malformed client requests (CVE-2010-1321, #582466) + triggered by malformed client requests (CVE-2010-1321, rhbz#582466) * Tue May 4 2010 Nalin Dahyabhai 1.8.1-4 -- fix output of kprop's init script's "status" and "reload" commands (#588222) +- fix output of kprop's init script's "status" and "reload" commands (rhbz#588222) * Tue Apr 20 2010 Nalin Dahyabhai 1.8.1-3 -- incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922) +- incorporate patch to fix double-free in the KDC (CVE-2010-1320, rhbz#581922) * Wed Apr 14 2010 Nalin Dahyabhai 1.8.1-2 - fix a typo in kerberos.ldif * Fri Apr 9 2010 Nalin Dahyabhai 1.8.1-1 - update to 1.8.1 - - no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628 + - no longer need patches for rhbz#555875, rhbz#561174, rhbz#563431, RT#6661, CVE-2010-0628 - replace buildrequires on tetex-latex with one on texlive-latex, which is the package that provides it now @@ -2896,21 +2905,21 @@ exit 0 * Thu Apr 8 2010 Nalin Dahyabhai - drop patch to suppress key expiration warnings sent from the KDC in the last-req field, as the KDC is expected to just be configured to either - send them or not as a particular key approaches expiration (#556495) + send them or not as a particular key approaches expiration (rhbz#556495) * Tue Mar 23 2010 Nalin Dahyabhai - 1.8-5 -- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, #576325) +- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, rhbz#576325) - kdc.conf: no more need to suggest keeping keys with v4-compatible salting * Fri Mar 19 2010 Nalin Dahyabhai - 1.8-4 - remove the krb5-appl bits (the -workstation-clients and -workstation-servers subpackages) now that krb5-appl is its own package -- replace our patch for #563431 (kpasswd doesn't fall back to guessing your +- replace our patch for rhbz#563431 (kpasswd doesn't fall back to guessing your principal name using your user name if you don't have a ccache) with the one upstream uses * Fri Mar 12 2010 Nalin Dahyabhai - 1.8-3 -- add documentation for the ticket_lifetime option (#561174) +- add documentation for the ticket_lifetime option (rhbz#561174) * Mon Mar 8 2010 Nalin Dahyabhai - 1.8-2 - pull up patch to get the client libraries to correctly perform password @@ -2930,10 +2939,10 @@ exit 0 - fix a null pointer dereference and crash introduced in our PAM patch that would happen if ftpd was given the name of a user who wasn't known to the local system, limited to being triggerable by gssapi-authenticated clients by - the default xinetd config (Olivier Fourdan, #569472) + the default xinetd config (Olivier Fourdan, rhbz#569472) * Tue Mar 2 2010 Nalin Dahyabhai - 1.7.1-5 -- fix a regression (not labeling a kdb database lock file correctly, #569902) +- fix a regression (not labeling a kdb database lock file correctly, rhbz#569902) * Thu Feb 25 2010 Nalin Dahyabhai - 1.7.1-4 - move the package changelog to the end to match the usual style (jdennis) @@ -2943,15 +2952,15 @@ exit 0 * Wed Feb 17 2010 Nalin Dahyabhai - 1.7.1-3 - pull up the change to make kpasswd's behavior better match the docs - when there's no ccache (#563431) + when there's no ccache (rhbz#563431) * Tue Feb 16 2010 Nalin Dahyabhai - 1.7.1-2 - apply patch from upstream to fix KDC denial of service (CVE-2010-0283, - #566002) + rhbz#566002) * Wed Feb 3 2010 Nalin Dahyabhai - 1.7.1-1 - update to 1.7.1 - - don't trip AD lockout on wrong password (#542687, #554351) + - don't trip AD lockout on wrong password (rhbz#542687, rhbz#554351) - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 - fixes gss_krb5_copy_ccache() when SPNEGO is used - move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to @@ -2961,7 +2970,7 @@ exit 0 depends on -workstation which also includes them * Mon Jan 25 2010 Nalin Dahyabhai - 1.7-23 -- tighten up default permissions on kdc.conf and kadm5.acl (#558343) +- tighten up default permissions on kdc.conf and kadm5.acl (rhbz#558343) * Fri Jan 22 2010 Nalin Dahyabhai - 1.7-22 - use portreserve correctly -- portrelease takes the basename of the file @@ -2970,47 +2979,47 @@ exit 0 * Mon Jan 18 2010 Nalin Dahyabhai - 1.7-21 - suppress warnings of impending password expiration if expiration is more than seven days away when the KDC reports it via the last-req field, just as we - already do when it reports expiration via the key-expiration field (#556495) + already do when it reports expiration via the key-expiration field (rhbz#556495) - link with libtinfo rather than libncurses, when we can, in future RHEL * Fri Jan 15 2010 Nalin Dahyabhai - 1.7-20 - krb5_get_init_creds_password: check opte->flags instead of options->flags - when checking whether or not we get to use the prompter callback (#555875) + when checking whether or not we get to use the prompter callback (rhbz#555875) * Thu Jan 14 2010 Nalin Dahyabhai - 1.7-19 - use portreserve to make sure the KDC can always bind to the kerberos-iv port, kpropd can always bind to the krb5_prop port, and that kadmind can - always bind to the kerberos-adm port (#555279) + always bind to the kerberos-adm port (rhbz#555279) - correct inadvertent use of macros in the changelog (rpmlint) * Tue Jan 12 2010 Nalin Dahyabhai - 1.7-18 - add upstream patch for integer underflow during AES and RC4 decryption - (CVE-2009-4212), via Tom Yu (#545015) + (CVE-2009-4212), via Tom Yu (rhbz#545015) * Wed Jan 6 2010 Nalin Dahyabhai - 1.7-17 - put the conditional back for the -devel subpackage -- back down to the earlier version of the patch for #551764; the backported +- back down to the earlier version of the patch for rhbz#551764; the backported alternate version was incomplete * Tue Jan 5 2010 Nalin Dahyabhai - 1.7-16 - use %%global instead of %%define - pull up proposed patch for creating previously-not-there lock files for - kdb databases when 'kdb5_util' is called to 'load' (#551764) + kdb databases when 'kdb5_util' is called to 'load' (rhbz#551764) * Mon Jan 4 2010 Dennis Gregorovic - fix conditional for future RHEL * Mon Jan 4 2010 Nalin Dahyabhai - 1.7-15 - add upstream patch for KDC crash during referral processing (CVE-2009-3295), - via Tom Yu (#545002) + via Tom Yu (rhbz#545002) * Mon Dec 21 2009 Nalin Dahyabhai - 1.7-14 -- refresh patch for #542868 from trunk +- refresh patch for rhbz#542868 from trunk * Thu Dec 10 2009 Nalin Dahyabhai - move man pages that live in the -libs subpackage into the regular %%{_mandir} tree where they'll still be found if that package is the - only one installed (#529319) + only one installed (rhbz#529319) * Wed Dec 9 2009 Nalin Dahyabhai - 1.7-13 - and put it back in @@ -3019,14 +3028,14 @@ exit 0 - back that last change out * Tue Dec 8 2009 Nalin Dahyabhai - 1.7-12 -- try to make gss_krb5_copy_ccache() work correctly for spnego (#542868) +- try to make gss_krb5_copy_ccache() work correctly for spnego (rhbz#542868) * Fri Dec 4 2009 Nalin Dahyabhai -- make krb5-config suppress CFLAGS output when called with --libs (#544391) +- make krb5-config suppress CFLAGS output when called with --libs (rhbz#544391) * Thu Dec 3 2009 Nalin Dahyabhai - 1.7-11 - ksu: move account management checks to before we drop privileges, like - su does (#540769) + su does (rhbz#540769) - selinux: set the user part of file creation contexts to match the current context instead of what we looked up - configure with --enable-dns-for-realm instead of --enable-dns, which isn't @@ -3034,7 +3043,7 @@ exit 0 * Fri Nov 20 2009 Nalin Dahyabhai - 1.7-10 - move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation, - where it's actually needed (#538703) + where it's actually needed (rhbz#538703) * Fri Oct 23 2009 Nalin Dahyabhai - 1.7-9 - add some conditional logic to simplify building on older Fedora releases @@ -3045,11 +3054,11 @@ exit 0 * Mon Sep 14 2009 Nalin Dahyabhai - 1.7-8 - specify the location of the subsystem lock when using the status() function in the kadmind and kpropd init scripts, so that we get the right error when - we're dead but have a lock file - requires initscripts 8.99 (#521772) + we're dead but have a lock file - requires initscripts 8.99 (rhbz#521772) * Tue Sep 8 2009 Nalin Dahyabhai - if the init script fails to start krb5kdc/kadmind/kpropd because it's already - running (according to status()), return 0 (part of #521772) + running (according to status()), return 0 (part of rhbz#521772) * Mon Aug 24 2009 Nalin Dahyabhai - 1.7-7 - work around a compile problem with new openssl @@ -3108,7 +3117,7 @@ exit 0 - drop static build logic - drop pam_krb5-specific configuration from the default krb5.conf - drop only-use-v5 flags being passed to various things started by xinetd -- put %%{krb5prefix}/sbin in everyone's path, too (#504525) +- put %%{krb5prefix}/sbin in everyone's path, too (rhbz#504525) * Tue May 19 2009 Nalin Dahyabhai 1.6.3-106 - add an auth stack to ksu's PAM configuration so that pam_setcred() calls @@ -3132,7 +3141,7 @@ exit 0 - add LSB-style init script info * Fri Apr 17 2009 Nalin Dahyabhai -- explicitly run the pdf generation script using sh (part of #225974) +- explicitly run the pdf generation script using sh (part of rhbz#225974) * Tue Apr 7 2009 Nalin Dahyabhai 1.6.3-101 - add patches for read overflow and null pointer dereference in the @@ -3148,14 +3157,14 @@ exit 0 - use triggeruns to properly shut down and disable krb524d when -server and -workstation-servers gets upgraded, because it's gone now - move the libraries to /%%{_lib}, but leave --libdir alone so that plugins - get installed and are searched for in the same locations (#473333) + get installed and are searched for in the same locations (rhbz#473333) - clean up buildprereq/prereqs, explicit mktemp requires, and add the - ldconfig for the -server-ldap subpackage (part of #225974) -- escape possible macros in the changelog (part of #225974) -- fixup summary texts (part of #225974) -- take the execute bit off of the protocol docs (part of #225974) -- unflag init scripts as configuration files (part of #225974) -- make the kpropd init script treat 'reload' as 'restart' (part of #225974) + ldconfig for the -server-ldap subpackage (part of rhbz#225974) +- escape possible macros in the changelog (part of rhbz#225974) +- fixup summary texts (part of rhbz#225974) +- take the execute bit off of the protocol docs (part of rhbz#225974) +- unflag init scripts as configuration files (part of rhbz#225974) +- make the kpropd init script treat 'reload' as 'restart' (part of rhbz#225974) * Tue Mar 17 2009 Nalin Dahyabhai 1.6.3-19 - libgssapi_krb5: backport fix for some errors which can occur when @@ -3170,7 +3179,7 @@ exit 0 * Thu Sep 4 2008 Nalin Dahyabhai - if we successfully change the user's password during an attempt to get initial credentials, but then fail to get initial creds from a non-master - using the new password, retry against the master (#432334) + using the new password, retry against the master (rhbz#432334) * Tue Aug 5 2008 Tom "spot" Callaway 1.6.3-16 - fix license tag @@ -3193,7 +3202,7 @@ exit 0 * Wed Apr 16 2008 Nalin Dahyabhai 1.6.3-13 - ftp: use the correct local filename during mget when the 'case' option is - enabled (#442713) + enabled (rhbz#442713) * Fri Apr 4 2008 Nalin Dahyabhai 1.6.3-12 - stop exporting kadmin keys to a keytab file when kadmind starts -- the @@ -3207,17 +3216,17 @@ exit 0 * Tue Mar 18 2008 Nalin Dahyabhai 1.6.3-10 - add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063, - #432620, #432621) + rhbz#432620, rhbz#432621) - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when - high-numbered descriptors are used (CVE-2008-0947, #433596) + high-numbered descriptors are used (CVE-2008-0947, rhbz#433596) - add backport bug fix for an attempt to free non-heap memory in - libgssapi_krb5 (CVE-2007-5901, #415321) + libgssapi_krb5 (CVE-2007-5901, rhbz#415321) - add backport bug fix for a double-free in out-of-memory situations in - libgssapi_krb5 (CVE-2007-5971, #415351) + libgssapi_krb5 (CVE-2007-5971, rhbz#415351) * Tue Mar 18 2008 Nalin Dahyabhai 1.6.3-9 - rework file labeling patch to not depend on fragile preprocessor trickery, - in another attempt at fixing #428355 and friends + in another attempt at fixing rhbz#428355 and friends * Tue Feb 26 2008 Nalin Dahyabhai 1.6.3-8 - ftp: add patch to fix "runique on" case when globbing fixes applied @@ -3225,12 +3234,12 @@ exit 0 * Mon Feb 25 2008 Nalin Dahyabhai - add patch to suppress double-processing of /etc/krb5.conf when we build - with --sysconfdir=/etc, thereby suppressing double-logging (#231147) + with --sysconfdir=/etc, thereby suppressing double-logging (rhbz#231147) * Mon Feb 25 2008 Nalin Dahyabhai - remove a patch, to fix problems with interfaces which are "up" but which have no address assigned, which conflicted with a different fix for the same - problem in 1.5 (#200979) + problem in 1.5 (rhbz#200979) * Mon Feb 25 2008 Nalin Dahyabhai - ftp: don't lose track of a descriptor on passive get when the server fails to @@ -3254,22 +3263,22 @@ exit 0 * Tue Feb 12 2008 Nalin Dahyabhai 1.6.3-5 - enable patch for key-expiration reporting -- enable patch to make kpasswd fall back to TCP if UDP fails (#251206) +- enable patch to make kpasswd fall back to TCP if UDP fails (rhbz#251206) - enable patch to make kpasswd use the right sequence number on retransmit - enable patch to allow mech-specific creds delegated under spnego to be found when searching for creds * Wed Jan 2 2008 Nalin Dahyabhai 1.6.3-4 - some init script cleanups - - drop unquoted check and silent exit for "$NETWORKING" (#426852, #242502) + - drop unquoted check and silent exit for "$NETWORKING" (rhbz#426852, rhbz#242502) - krb524: don't barf on missing database if it looks like we're using kldap, same as for kadmin - return non-zero status for missing files which cause startup to - fail (#242502) + fail (rhbz#242502) * Tue Dec 18 2007 Nalin Dahyabhai 1.6.3-3 - allocate space for the nul-terminator in the local pathname when looking up - a file context, and properly free a previous context (Jose Plans, #426085) + a file context, and properly free a previous context (Jose Plans, rhbz#426085) * Wed Dec 5 2007 Nalin Dahyabhai 1.6.3-2 - rebuild @@ -3285,7 +3294,7 @@ exit 0 * Fri Oct 12 2007 Nalin Dahyabhai - make krb5.conf %%verify(not md5 size mtime) in addition to - %%config(noreplace), like /etc/nsswitch.conf (#329811) + %%config(noreplace), like /etc/nsswitch.conf (rhbz#329811) * Mon Oct 1 2007 Nalin Dahyabhai 1.6.2-9 - apply the fix for CVE-2007-4000 instead of the experimental patch for @@ -3302,7 +3311,7 @@ exit 0 * Thu Sep 6 2007 Nalin Dahyabhai 1.6.2-6 - incorporate updated fix for CVE-2007-3999 (CVE-2007-4743) -- fix incorrect call to "test" in the kadmin init script (#252322,#287291) +- fix incorrect call to "test" in the kadmin init script (rhbz#252322,rhbz#287291) * Tue Sep 4 2007 Nalin Dahyabhai 1.6.2-5 - incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000) @@ -3315,7 +3324,7 @@ exit 0 - rebuild * Thu Jul 26 2007 Nalin Dahyabhai 1.6.2-2 -- kdc.conf: default to listening for TCP clients, too (#248415) +- kdc.conf: default to listening for TCP clients, too (rhbz#248415) * Thu Jul 19 2007 Nalin Dahyabhai 1.6.2-1 - update to 1.6.2 @@ -3341,13 +3350,13 @@ exit 0 - rebuild * Sun Jun 24 2007 Nalin Dahyabhai 1.6.1-3 -- label all files at creation-time according to the SELinux policy (#228157) +- label all files at creation-time according to the SELinux policy (rhbz#228157) * Fri Jun 22 2007 Nalin Dahyabhai -- perform PAM account / session management in krshd (#182195,#195922) +- perform PAM account / session management in krshd (rhbz#182195,rhbz#195922) - perform PAM authentication and account / session management in ftpd - perform PAM authentication, account / session management, and password- - changing in login.krb5 (#182195,#195922) + changing in login.krb5 (rhbz#182195,rhbz#195922) * Fri Jun 22 2007 Nalin Dahyabhai - preprocess kerberos.ldif into a format FDS will like better, and include @@ -3357,7 +3366,7 @@ exit 0 - switch man pages to being generated with the right paths in them - drop old, incomplete SELinux patch - add patch from Greg Hudson to make srvtab routines report missing-file errors - at same point that keytab routines do (#241805) + at same point that keytab routines do (rhbz#241805) * Thu May 24 2007 Nalin Dahyabhai 1.6.1-2 - pull patch from svn to undo unintentional chattiness in ftp @@ -3378,7 +3387,7 @@ exit 0 * Wed May 16 2007 Nalin Dahyabhai 1.6-6 - omit dependent libraries from the krb5-config --libs output, as using shared libraries (no more static libraries) makes them unnecessary and - they're not part of the libkrb5 interface (patch by Rex Dieter, #240220) + they're not part of the libkrb5 interface (patch by Rex Dieter, rhbz#240220) (strips out libkeyutils, libresolv, libdl) * Fri May 4 2007 Nalin Dahyabhai 1.6-5 @@ -3393,17 +3402,17 @@ exit 0 * Fri Apr 13 2007 Nalin Dahyabhai - move the default acl_file, dict_file, and admin_keytab settings to the part of the default/example kdc.conf where they'll actually have - an effect (#236417) + an effect (rhbz#236417) * Thu Apr 5 2007 Nalin Dahyabhai 1.5-24 - merge security fixes from RHSA-2007:0095 * Tue Apr 3 2007 Nalin Dahyabhai 1.6-3 - add patch to correct unauthorized access via krb5-aware telnet - daemon (#229782, CVE-2007-0956) + daemon (rhbz#229782, CVE-2007-0956) - add patch to fix buffer overflow in krb5kdc and kadmind - (#231528, CVE-2007-0957) -- add patch to fix double-free in kadmind (#231537, CVE-2007-1216) + (rhbz#231528, CVE-2007-0957) +- add patch to fix double-free in kadmind (rhbz#231537, CVE-2007-1216) * Thu Mar 22 2007 Nalin Dahyabhai - back out buildrequires: keyutils-libs-devel for now @@ -3419,19 +3428,19 @@ exit 0 * Thu Mar 15 2007 Nalin Dahyabhai 1.5-21 - add preliminary patch to fix buffer overflow in krb5kdc and kadmind - (#231528, CVE-2007-0957) -- add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216) + (rhbz#231528, CVE-2007-0957) +- add preliminary patch to fix double-free in kadmind (rhbz#231537, CVE-2007-1216) * Wed Feb 28 2007 Nalin Dahyabhai - add patch to build semi-useful static libraries, but don't apply it unless we need them * Tue Feb 27 2007 Nalin Dahyabhai - 1.5-20 -- temporarily back out %%post changes, fix for #143289 for security update +- temporarily back out %%post changes, fix for rhbz#143289 for security update - add preliminary patch to correct unauthorized access via krb5-aware telnet * Mon Feb 19 2007 Nalin Dahyabhai -- make profile.d scriptlets mode 644 instead of 755 (part of #225974) +- make profile.d scriptlets mode 644 instead of 755 (part of rhbz#225974) * Tue Jan 30 2007 Nalin Dahyabhai 1.6-1 - clean up quoting of command-line arguments passed to the krsh/krlogin @@ -3439,22 +3448,22 @@ exit 0 * Mon Jan 22 2007 Nalin Dahyabhai - initial update to 1.6, pre-package-reorg -- move workstation daemons to a new subpackage (#81836, #216356, #217301), and - make the new subpackage require xinetd (#211885) +- move workstation daemons to a new subpackage (rhbz#81836, rhbz#216356, rhbz#217301), and + make the new subpackage require xinetd (rhbz#211885) * Mon Jan 22 2007 Nalin Dahyabhai - 1.5-18 -- make use of install-info more failsafe (Ville Skyttä, #223704) +- make use of install-info more failsafe (Ville Skyttä, rhbz#223704) - preserve timestamps on shell scriptlets at %%install-time * Tue Jan 16 2007 Nalin Dahyabhai - 1.5-17 -- move to using pregenerated PDF docs to cure multilib conflicts (#222721) +- move to using pregenerated PDF docs to cure multilib conflicts (rhbz#222721) * Fri Jan 12 2007 Nalin Dahyabhai - 1.5-16 -- update backport of the preauth module interface (part of #194654) +- update backport of the preauth module interface (part of rhbz#194654) * Tue Jan 9 2007 Nalin Dahyabhai - 1.5-14 -- apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (#218456) -- apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (#218456) +- apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (rhbz#218456) +- apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (rhbz#218456) * Wed Dec 20 2006 Nalin Dahyabhai - 1.5-12 - update backport of the preauth module interface @@ -3472,21 +3481,21 @@ exit 0 been applicable for a while * Wed Oct 18 2006 Nalin Dahyabhai - 1.5-10 -- rename krb5.sh and krb5.csh so that they don't overlap (#210623) -- way-late application of added error info in kadmind.init (#65853) +- rename krb5.sh and krb5.csh so that they don't overlap (rhbz#210623) +- way-late application of added error info in kadmind.init (rhbz#65853) * Wed Oct 18 2006 Nalin Dahyabhai - 1.5-9.pal_18695 -- add backport of in-development preauth module interface (#208643) +- add backport of in-development preauth module interface (rhbz#208643) * Mon Oct 9 2006 Nalin Dahyabhai - 1.5-9 -- provide docs in PDF format instead of as tex source (Enrico Scholz, #209943) +- provide docs in PDF format instead of as tex source (Enrico Scholz, rhbz#209943) * Wed Oct 4 2006 Nalin Dahyabhai - 1.5-8 -- add missing shebang headers to krsh and krlogin wrapper scripts (#209238) +- add missing shebang headers to krsh and krlogin wrapper scripts (rhbz#209238) * Wed Sep 6 2006 Nalin Dahyabhai - 1.5-7 - set SS_LIB at configure-time so that libss-using apps get working readline - support (#197044) + support (rhbz#197044) * Fri Aug 18 2006 Nalin Dahyabhai - 1.5-6 - switch to the updated patch for MITKRB-SA-2006-001 @@ -3497,7 +3506,7 @@ exit 0 * Mon Aug 7 2006 Nalin Dahyabhai - 1.5-4 - ensure that the gssapi library's been initialized before walking the internal mechanism list in gss_release_oid(), needed if called from - gss_release_name() right after a gss_import_name() (#198092) + gss_release_name() right after a gss_import_name() (rhbz#198092) * Tue Jul 25 2006 Nalin Dahyabhai - 1.5-3 - rebuild @@ -3518,7 +3527,7 @@ exit 0 - update to 1.5 * Fri Jun 23 2006 Nalin Dahyabhai 1.4.3-9 -- mark profile.d config files noreplace (Laurent Rineau, #196447) +- mark profile.d config files noreplace (Laurent Rineau, rhbz#196447) * Thu Jun 8 2006 Nalin Dahyabhai 1.4.3-8 - add buildprereq for autoconf @@ -3526,11 +3535,11 @@ exit 0 * Mon May 22 2006 Nalin Dahyabhai 1.4.3-7 - further munge krb5-config so that 'libdir=/usr/lib' is given even on 64-bit architectures, to avoid multilib conflicts; other changes will conspire to - strip out the -L flag which uses this, so it should be harmless (#192692) + strip out the -L flag which uses this, so it should be harmless (rhbz#192692) * Fri Apr 28 2006 Nalin Dahyabhai 1.4.3-6 - adjust the patch which removes the use of rpath to also produce a - krb5-config which is okay in multilib environments (#190118) + krb5-config which is okay in multilib environments (rhbz#190118) - make the name-of-the-tempfile comment which compile_et adds to error code headers always list the same file to avoid conflicts on multilib installations - strip SIZEOF_LONG out of krb5.h so that it doesn't conflict on multilib boxes @@ -3545,7 +3554,7 @@ exit 0 * Mon Feb 6 2006 Nalin Dahyabhai 1.4.3-4 - give a little bit more information to the user when kinit gets the catch-all - I/O error (#180175) + I/O error (rhbz#180175) * Thu Jan 19 2006 Nalin Dahyabhai 1.4.3-3 - rebuild properly when pthread_mutexattr_setrobust_np() is defined but not @@ -3559,23 +3568,23 @@ exit 0 * Thu Dec 1 2005 Nalin Dahyabhai - login: don't truncate passwords before passing them into crypt(), in - case they're significant (#149476) + case they're significant (rhbz#149476) * Thu Nov 17 2005 Nalin Dahyabhai 1.4.3-1 - update to 1.4.3 -- make ksu setuid again (#137934, others) +- make ksu setuid again (rhbz#137934, others) * Tue Sep 13 2005 Nalin Dahyabhai 1.4.2-4 - mark %%{krb5prefix}/man so that files which are packaged within it are - flagged as %%doc (#168163) + flagged as %%doc (rhbz#168163) * Tue Sep 6 2005 Nalin Dahyabhai 1.4.2-3 - add an xinetd configuration file for encryption-only telnetd, parallelling - the kshell/ekshell pair (#167535) + the kshell/ekshell pair (rhbz#167535) * Wed Aug 31 2005 Nalin Dahyabhai 1.4.2-2 - change the default configured encryption type for KDC databases to the - compiled-in default of des3-hmac-sha1 (#57847) + compiled-in default of des3-hmac-sha1 (rhbz#57847) * Thu Aug 11 2005 Nalin Dahyabhai 1.4.2-1 - update to 1.4.2, incorporating the fixes for MIT-KRB5-SA-2005-002 and @@ -3586,23 +3595,23 @@ exit 0 * Wed Jun 29 2005 Nalin Dahyabhai 1.4.1-5 - fix telnet client environment variable disclosure the same way NetKit's - telnet client did (CAN-2005-0488) (#159305) + telnet client did (CAN-2005-0488) (rhbz#159305) - keep apps which call krb5_principal_compare() or krb5_realm_compare() with malformed or NULL principal structures from crashing outright (Thomas Biege) - (#161475) + (rhbz#161475) * Tue Jun 28 2005 Nalin Dahyabhai - apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175) - (#157104) -- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755) + (rhbz#157104) +- apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (rhbz#159755) * Fri Jun 24 2005 Nalin Dahyabhai 1.4.1-4 - fix double-close in keytab handling -- add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612) +- add port of fixes for CAN-2004-0175 to krb5-aware rcp (rhbz#151612) * Fri May 13 2005 Nalin Dahyabhai 1.4.1-3 - prevent spurious EBADF in krshd when stdin is closed by the client while - the command is running (#151111) + the command is running (rhbz#151111) * Fri May 13 2005 Martin Stransky 1.4.1-2 - add deadlock patch, removed old patch @@ -3661,18 +3670,18 @@ exit 0 - rebuild * Mon Nov 22 2004 Nalin Dahyabhai 1.3.5-3 -- fix predictable-tempfile-name bug in krb5-send-pr (CAN-2004-0971, #140036) +- fix predictable-tempfile-name bug in krb5-send-pr (CAN-2004-0971, rhbz#140036) * Tue Nov 16 2004 Nalin Dahyabhai - silence compiler warning in kprop by using an in-memory ccache with a fixed name instead of an on-disk ccache with a name generated by tmpnam() * Tue Nov 16 2004 Nalin Dahyabhai 1.3.5-2 -- fix globbing patch port mode (#139075) +- fix globbing patch port mode (rhbz#139075) * Mon Nov 1 2004 Nalin Dahyabhai 1.3.5-1 - fix segfault in telnet due to incorrect checking of gethostbyname_r result - codes (#129059) + codes (rhbz#129059) * Fri Oct 15 2004 Nalin Dahyabhai - remove rc4-hmac:norealm and rc4-hmac:onlyrealm from the default list of @@ -3697,11 +3706,11 @@ exit 0 * Mon Aug 23 2004 Nalin Dahyabhai 1.3.4-3 - incorporate fixes from Tom Yu for CAN-2004-0642, CAN-2004-0772 - (MITKRB5-SA-2004-002, #130732) -- incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, #130732) + (MITKRB5-SA-2004-002, rhbz#130732) +- incorporate fixes from Tom Yu for CAN-2004-0644 (MITKRB5-SA-2004-003, rhbz#130732) * Tue Jul 27 2004 Nalin Dahyabhai 1.3.4-2 -- fix indexing error in server sorting patch (#127336) +- fix indexing error in server sorting patch (rhbz#127336) * Tue Jun 15 2004 Elliot Lee - rebuilt @@ -3726,7 +3735,7 @@ exit 0 - rebuild * Tue Jun 1 2004 Nalin Dahyabhai 1.3.3-4 -- apply patch from MITKRB5-SA-2004-001 (#125001) +- apply patch from MITKRB5-SA-2004-001 (rhbz#125001) * Wed May 12 2004 Thomas Woerner 1.3.3-3 - removed rpath @@ -3756,17 +3765,17 @@ exit 0 * Mon Feb 2 2004 Nalin Dahyabhai 1.3.1-9 - remove patch to set TERM in klogind which, combined with the upstream fix in - 1.3.1, actually produces the bug now (#114762) + 1.3.1, actually produces the bug now (rhbz#114762) * Mon Jan 19 2004 Nalin Dahyabhai 1.3.1-8 - when iterating over lists of interfaces which are "up" from getifaddrs(), - skip over those which have no address (#113347) + skip over those which have no address (rhbz#113347) * Mon Jan 12 2004 Nalin Dahyabhai - prefer the kdc which last replied to a request when sending requests to kdcs * Mon Nov 24 2003 Nalin Dahyabhai 1.3.1-7 -- fix combination of --with-netlib and --enable-dns (#82176) +- fix combination of --with-netlib and --enable-dns (rhbz#82176) * Tue Nov 18 2003 Nalin Dahyabhai - remove libdefault ticket_lifetime option from the default krb5.conf, it is @@ -3975,12 +3984,12 @@ exit 0 * Wed Jun 27 2001 Nalin Dahyabhai - add patch to support "ANY" keytab type (i.e., "default_keytab_name = ANY:FILE:/etc/krb5.keytab,SRVTAB:/etc/srvtab" - patch from Gerald Britton, #42551) -- build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (#30697) + patch from Gerald Britton, rhbz#42551) +- build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (rhbz#30697) - patch ftpd to use long long and %%lld format specifiers to support the SIZE - command on large files (also #30697) -- don't use LOG_AUTH as an option value when calling openlog() in ksu (#45965) -- implement reload in krb5kdc and kadmind init scripts (#41911) + command on large files (also rhbz#30697) +- don't use LOG_AUTH as an option value when calling openlog() in ksu (rhbz#45965) +- implement reload in krb5kdc and kadmind init scripts (rhbz#41911) - lose the krb5server init script (not using it any more) * Sun Jun 24 2001 Elliot Lee @@ -3993,7 +4002,7 @@ exit 0 - rebuild in new environment * Thu Apr 26 2001 Nalin Dahyabhai -- add patch from Tom Yu to fix ftpd overflows (#37731) +- add patch from Tom Yu to fix ftpd overflows (rhbz#37731) * Wed Apr 18 2001 Than Ngo - disable optimizations on the alpha again @@ -4017,7 +4026,7 @@ exit 0 - own %%{_var}/kerberos * Tue Feb 6 2001 Nalin Dahyabhai -- own the directories which are created for each package (#26342) +- own the directories which are created for each package (rhbz#26342) * Tue Jan 23 2001 Nalin Dahyabhai - gettextize init scripts @@ -4027,7 +4036,7 @@ exit 0 - re-enable optimization on alphas * Mon Jan 15 2001 Nalin Dahyabhai -- fix krb5-send-pr (#18932) and move it from -server to -workstation +- fix krb5-send-pr (rhbz#18932) and move it from -server to -workstation - buildprereq libtermcap-devel - temporariliy disable optimization on alphas - gettextize init scripts @@ -4039,29 +4048,29 @@ exit 0 - rebuild in new environment * Tue Oct 31 2000 Nalin Dahyabhai -- add bison as a BuildPrereq (#20091) +- add bison as a BuildPrereq (rhbz#20091) * Mon Oct 30 2000 Nalin Dahyabhai -- change /usr/dict/words to /usr/share/dict/words in default kdc.conf (#20000) +- change /usr/dict/words to /usr/share/dict/words in default kdc.conf (rhbz#20000) * Thu Oct 5 2000 Nalin Dahyabhai - apply kpasswd bug fixes from David Wragg * Wed Oct 4 2000 Nalin Dahyabhai -- make krb5-libs obsolete the old krb5-configs package (#18351) +- make krb5-libs obsolete the old krb5-configs package (rhbz#18351) - don't quit from the kpropd init script if there's no principal database so that you can propagate the first time without running kpropd manually - don't complain if /etc/ld.so.conf doesn't exist in the -libs %%post * Tue Sep 12 2000 Nalin Dahyabhai - fix credential forwarding problem in klogind (goof in KRB5CCNAME handling) - (#11588) -- fix heap corruption bug in FTP client (#14301) + (rhbz#11588) +- fix heap corruption bug in FTP client (rhbz#14301) * Wed Aug 16 2000 Nalin Dahyabhai - fix summaries and descriptions - switched the default transfer protocol from PORT to PASV as proposed on - bugzilla (#16134), and to match the regular ftp package's behavior + bugzilla (rhbz#16134), and to match the regular ftp package's behavior * Wed Jul 19 2000 Jeff Johnson - rebuild to compress man pages. @@ -4137,7 +4146,7 @@ exit 0 * Sat Jun 3 2000 Nalin Dahyabhai - use %%{_infodir} to better comply with FHS - move .so files to -devel subpackage -- tweak xinetd config files (bugs #11833, #11835, #11836, #11840) +- tweak xinetd config files (bugs rhbz#11833, rhbz#11835, rhbz#11836, rhbz#11840) - fix package descriptions again * Wed May 24 2000 Nalin Dahyabhai @@ -4174,7 +4183,7 @@ exit 0 - fix configure stuff for ia64 * Mon Apr 10 2000 Nalin Dahyabhai -- add LDCOMBINE=-lc to configure invocation to use libc versioning (bug #10653) +- add LDCOMBINE=-lc to configure invocation to use libc versioning (rhbz#10653) - change Requires: for/in subpackages to include %%{version} * Wed Apr 05 2000 Nalin Dahyabhai diff --git a/sources b/sources index d6c0df1..58dc8d0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (krb5-1.21.tar.gz) = 8ee2366888f6d553a44fc642a89c69a57dbc1ec4c89a36b9ba8b00584a9a32c73a2b0566ba5f21852ad9617046666c276dac402393bf8eb19fbe0c07a838071a -SHA512 (krb5-1.21.tar.gz.asc) = 7147a44a13f4f26c5c1d9aba738b32892b50e351ad149dcaf0b6f2c010e3c51d7d51540d0a51b085450ffa31d5027b5f2e5841109d7af8bdaddbdd3a569582d5 +SHA512 (krb5-1.21.2.tar.gz) = 4e09296b412383d53872661718dbfaa90201e0d85f69db48e57a8d4bd73c95a90c7ec7b6f0f325f6bc967f8d203b256b071c0191facf080aca0e2caec5d0ac49 +SHA512 (krb5-1.21.2.tar.gz.asc) = 1cee1ed77047067d7b6fb3620ffa6f5807d4182ae7cfeec6d5cc847c99f30c6dd2a5c1a160d992a13eb6d84754b202895a982111618711f3c14f4aa33c07d9e9